Re: iio_trigger_poll_chained causes NULL pointer access

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonathan Cameron <jic23@cam.ac.uk>
To: "Hennerich, Michael" <Michael.Hennerich@analog.com>
Cc: "linux-iio@vger.kernel.org" <linux-iio@vger.kernel.org>
Subject: Re: iio_trigger_poll_chained causes NULL pointer access
Date: Tue, 19 Apr 2011 16:42:42 +0100	[thread overview]
Message-ID: <4DADAD72.9070701@cam.ac.uk> (raw)
In-Reply-To: <544AC56F16B56944AEC3BD4E3D591771375475ED44@LIMKCMBX1.ad.analog.com>

On 04/19/11 16:22, Hennerich, Michael wrote:
> Hi Jonathan,
> 
> The AD7606 ring buffer doesn't use the thread, and installs only the hard handler.
> 
>         indio_dev->pollfunc->h = &ad7606_trigger_handler_th;
>         indio_dev->pollfunc->thread = NULL;
> 
> This crashes the system in handle_nested_irq (null pointer action->thread_fn)
> called from iio_trigger_poll_chained().
I knew that wouldn't work, but didn't realize it wouldn't just fail with
an error...

The only thing I can think to do is to actually set both h and thread
to ad7606_trigger_handler_th.

As it returns IRQ_HANDLED, if it is called via irq_trigger_poll, it will
happen in interrupt context and thread will never run.

If it is called via irq_trigger_poll_handler (e.g. for non interrupt context)
it'll happen outside interrupt context. Given timing is never going to
be that tight for userspace triggers, this probably isn't a problem.

Can you try that out and see if it works?
> 
> root:/> echo 1 > /sys/bus/iio/devices/trigger0/trigger_now
> Jump to NULL address
> Kernel OOPS in progress
> Deferred Exception context
> CURRENT PROCESS:
> COMM=sh PID=166  CPU=0
> TEXT = 0x02a00040-0x02a54380        DATA = 0x02a543a0-0x02a68d28
>  BSS = 0x02a68d28-0x02a6a6e0  USER-STACK = 0x02a73fa4
> 
> return address: [0x  (null)]; contents of:
> 
> ADSP-BF537-0.2 500(MHz CCLK) 125(MHz SCLK) (mpu off)
> Linux version 2.6.39-rc3-00802-g1f36cb3-dirty (michael@mhenneri-D02) (gcc version 4.3.5 (ADI-trunk/svn-5074) ) #84 Tue Apr 19 17:09:10 CEST 2011
> 
> SEQUENCER STATUS:               Not tainted
>  SEQSTAT: 0000002d  IPEND: 8008  IMASK: ffff  SYSCFG: 0006
>   EXCAUSE   : 0x2d
>   physical IVG3 asserted : <0xffa007b4> { _trap + 0x0 }
>   physical IVG15 asserted : <0xffa01098> { _evt_system_call + 0x0 }
>   logical irq   6 mapped  : <0xffa003c8> { _bfin_coretmr_interrupt + 0x0 }
>   logical irq  10 mapped  : <0x000c0278> { _bfin_rtc_interrupt + 0x0 }
>   logical irq  16 mapped  : <0x000c2114> { _bfin_twi_interrupt_entry + 0x0 }
>   logical irq  18 mapped  : <0x000ab53c> { _bfin_serial_dma_rx_int + 0x0 }
>   logical irq  19 mapped  : <0x000ab29c> { _bfin_serial_dma_tx_int + 0x0 }
>   logical irq  24 mapped  : <0x000baa40> { _bfin_mac_interrupt + 0x0 }
>   logical irq  54 mapped  : <0x000cce0c> { _ad7606_interrupt + 0x0 }
>   logical irq 106 mapped  : <0x000cd390> { _ad7606_trigger_handler_th + 0x0 }
>  RETE: <0x00000000> /* Maybe null pointer? */
>  RETN: <0x028f7e3c> /* kernel dynamic memory (maybe user-space) */
>  RETX: <0x00000480> /* Maybe fixed code section */
>  RETS: <0x00036778> { _handle_nested_irq + 0x58 }
>  PC  : <0x00000000> /* Maybe null pointer? */
> DCPLB_FAULT_ADDR: <0x028e71f4> /* kernel dynamic memory (maybe user-space) */
> ICPLB_FAULT_ADDR: <0x00000000> /* Maybe null pointer? */
> PROCESSOR STATE:
>  R0 : 0000006a    R1 : 027f8c80    R2 : 00000000    R3 : 028dc3c4
>  R4 : 026cf860    R5 : 028e77b4    R6 : 00000002    R7 : 0000006a
>  P0 : 02078002    P1 : 00000089    P2 : 00000000    P3 : 00130080
>  P4 : 00195efc    P5 : 0019b488    FP : 028f7ef0    SP : 028f7d60
>  LB0: ffa01778    LT0: ffa01776    LC0: 00000000
>  LB1: 02a0cfdd    LT1: 02a0cf92    LC1: 00000000
>  B0 : 00000001    L0 : 00000000    M0 : 0000002c    I0 : 00195efc
>  B1 : 00000001    L1 : 00000000    M1 : 00000001    I1 : 02a73d88
>  B2 : 02a739c3    L2 : 00000000    M2 : 00000000    I2 : 02a68a20
>  B3 : 00000001    L3 : 00000000    M3 : 00000000    I3 : 00000000
> A0.w: 00000000   A0.x: 00000000   A1.w: 00000000   A1.x: 00000000
> USP : 02a73d10  ASTAT: 02000020
> 
> Hardware Trace:
>    0 Target : <0x00003fa8> { _trap_c + 0x0 }
>      Source : <0xffa00748> { _exception_to_level5 + 0xa4 } JUMP.L
>    1 Target : <0xffa006a4> { _exception_to_level5 + 0x0 }
>      Source : <0xffa00558> { _bfin_return_from_exception + 0x20 } RTX
>    2 Target : <0xffa00538> { _bfin_return_from_exception + 0x0 }
>      Source : <0xffa005fc> { _ex_trap_c + 0x74 } JUMP.S
>    3 Target : <0xffa00588> { _ex_trap_c + 0x0 }
>      Source : <0xffa0081c> { _trap + 0x68 } JUMP (P4)
>    4 Target : <0xffa007d2> { _trap + 0x1e }
>      Source : <0xffa007ce> { _trap + 0x1a } IF CC JUMP pcrel
>    5 Target : <0xffa007b4> { _trap + 0x0 }
>       FAULT : <0x00000000> /* Maybe null pointer? */
>      Source : <0x00036776> { _handle_nested_irq + 0x56 } CALL (P2)
>    6 Target : <0x00036732> { _handle_nested_irq + 0x12 }
>      Source : <0xffa0214c> { __cond_resched + 0x20 } RTS
>    7 Target : <0xffa02146> { __cond_resched + 0x1a }
>      Source : <0xffa0213e> { __cond_resched + 0x12 } IF CC JUMP pcrel (BP)
>    8 Target : <0xffa0212c> { __cond_resched + 0x0 }
>      Source : <0x0003672e> { _handle_nested_irq + 0xe } JUMP.L
>    9 Target : <0x0003672c> { _handle_nested_irq + 0xc }
>      Source : <0x000348e6> { _irq_to_desc + 0x1a } RTS
>   10 Target : <0x000348cc> { _irq_to_desc + 0x0 }
>      Source : <0x00036728> { _handle_nested_irq + 0x8 } JUMP.L
>   11 Target : <0x00036720> { _handle_nested_irq + 0x0 }
>      Source : <0x000cbd2c> { _iio_trigger_poll_chained + 0x58 } JUMP.L
>   12 Target : <0x000cbd22> { _iio_trigger_poll_chained + 0x4e }
>      Source : <0x000cbcf0> { _iio_trigger_poll_chained + 0x1c } IF !CC JUMP pcrel
>   13 Target : <0x000cbcd4> { _iio_trigger_poll_chained + 0x0 }
>      Source : <0x000cd518> { _iio_sysfs_trigger_poll + 0xc } CALL pcrel
>   14 Target : <0x000cd514> { _iio_sysfs_trigger_poll + 0x8 }
>      Source : <0x000afdf2> { _dev_get_drvdata + 0x16 } RTS
>   15 Target : <0x000afde6> { _dev_get_drvdata + 0xa }
>      Source : <0x000afde0> { _dev_get_drvdata + 0x4 } IF !CC JUMP pcrel
> Kernel Stack
> Stack info:
>  SP: [0x028f7f24] <0x028f7f24> /* kernel dynamic memory (maybe user-space) */
>  Memory from 0x028f7f20 to 028f8000
> 028f7f20: 7fffffff [02a039de]
>  00000000  00000000  028f8000  02a039de  02a039de
> 028f7f40: 02a158ea  ffa010fc  02001004  02a0cfdd  02a0cdcd  02a0cf92  02a0cdca  00000000
> 028f7f60: 00000000  00000000  00000000  00000000  00000000  00000001  02a739c3  00000001
> 028f7f80: 00000001  00000000  00000000  00000000  00000000  00000000  00000000  00000001
> 028f7fa0: 00000000  00000000  02a68a20  02a73d88  029ea578  02a73d10  02a73d1c  02a695c8
> 028f7fc0: 02a6870c  02a73d94  02a695ca  02a6870c  00000004  00000002  00000002  7fffffff
> 028f7fe0: 00000000  00000000  00000002  02a695c8  00000001  00000001  00000004  00000006
> Return addresses in stack:
>     address : <0x00008000> { _show_regs + 0x154 }
> Modules linked in:
> Kernel panic - not syncing: Kernel exception
> Hardware Trace:
> Stack info:
>  SP: [0x028f7c68] <0x028f7c68> /* kernel dynamic memory (maybe user-space) */
>  FP: (0x028f7d78)
>  Memory from 0x028f7c60 to 028f8000
> 028f7c60: 028f7c68  00000013 [00155970] 00124660  028f7d60  00155970  001893cb  001893cb
> 028f7c80: 001893cb  028f7cb0  028f7ef0  00004464  028f7d60  ffe02014  00130080  00008008
> 028f7ca0: 0000000b  0000002d  00000013  028f7d60  0000003f  ffffffff  0007e710  00000000
> 028f7cc0: 0003000b  0005bd68  0000a068  028dc3c4  028f7ec4  01a02a64  00000001  00000000
> 028f7ce0: 00000000  00000000  028f7ec4  0005bc60  02a9d8cc  02a96b54  02a9d8cc  00000002
> 028f7d00: 0000a068  00000000  00000008  00051b04  00000002  02a9d8cc  00000002  00000000
> 028f7d20: 00000000  0004aace  02a96b54  028f7e34  0000002c  00000000  001a38e4  ffa0074c
> 028f7d40: 00186000  00008008  0000002d  028e77b4  026cf860  009c5234  00000001  00000480
> 028f7d60: 00000480  00008008  0000002d  00000000  028f7e3c  00000480 (00000000)
> 028f7d80: 0000006a  02000020  02a0cfdd  ffa01778  02a0cf92  ffa01776  00000000  00000000
> 028f7da0: 00000000  00000000  00000000  00000000  00000001  02a739c3  00000001  00000001
> 028f7dc0: 00000000  00000000  00000000  00000000  00000000  00000000  00000001  0000002c
> 028f7de0: 00000000  02a68a20  02a73d88  00195efc  02a73d10  028f7ef0  0019b488  00195efc
> 028f7e00: 00130080  00000000  00000089  02078002  0000006a  00000002  028e77b4  026cf860
> 028f7e20: 028dc3c4  00000000  027f8c80  0000006a  0000006a  02078002  00000006  a92f6ddb
> 028f7e40: 001a38c0  028f7ef0  000cbd30  029a0200  028dc3c4  029a0210  00000000  00000002
> 028f7e60: 028e77b4  000cd51c  028e77a0  00000000  0007eabc  029a0210 <0007eb30> 00000000
> 028f7e80: 00000000  00000000  00000002  02a73d1c <0004baa6> 026cf860  00000004  02a73d94
> 028f7ea0: 028f7ef0  00000002  02a695c8  00000000  00000004  00000000  02a73d7c  028f7ef0
> 028f7ec0: 026cf860  00000006  0004bbbc  026cf860  00000004  02a695c8  00000002  7fffffff
> 028f7ee0: 026cf860  00000001  00000000  028f7ef0  00000000  00000000  00000000 <ffa00956>
> 028f7f00: 0004bb8c  00000000  ffffe000  ffffe000  7fffffff  0000fffe  00000000  00000000
> 028f7f20: 7fffffff  02a039de
>  00000000  00000000  028f8000  02a039de  02a039de
> 028f7f40: 02a158ea  ffa010fc  02001004  02a0cfdd  02a0cdcd  02a0cf92  02a0cdca  00000000
> 028f7f60: 00000000  00000000  00000000  00000000  00000000  00000001  02a739c3  00000001
> 028f7f80: 00000001  00000000  00000000  00000000  00000000  00000000  00000000  00000001
> 028f7fa0: 00000000  00000000  02a68a20  02a73d88  029ea578  02a73d10  02a73d1c  02a695c8
> 028f7fc0: 02a6870c  02a73d94  02a695ca  02a6870c  00000004  00000002  00000002  7fffffff
> 028f7fe0: 00000000  00000000  00000002  02a695c8  00000001  00000001  00000004  00000006
> Return addresses in stack:
>    frame  1 : <0x00036778> { _handle_nested_irq + 0x58 }
>     address : <0x0007eb30> { _sysfs_write_file + 0xac }
>     address : <0x0004baa6> { _vfs_write + 0x6a }
>     address : <0xffa00956> { _system_call + 0x6a }
>     address : <0x00008000> { _show_regs + 0x154 }
> 
> 
> ------------------------------------------------------------------
> ********* Analog Devices GmbH
> **  *****
> **     ** Wilhelm-Wagenfeld-Strasse 6
> **  ***** D-80807 Munich
> ********* Germany
> Sitz der Gesellschaft: Muenchen; Registergericht: Muenchen HRB 40368;
> Geschaeftsfuehrer: Dr.Carsten Suckrow, Thomas Wessel, William A. Martin, Margaret Seif
> 
>

next prev parent reply	other threads:[~2011-04-19 15:40 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-19 15:22 iio_trigger_poll_chained causes NULL pointer access Hennerich, Michael
2011-04-19 15:42 ` Jonathan Cameron [this message]
2011-04-19 18:00   ` Hennerich, Michael
2011-04-20  7:36     ` Hennerich, Michael
2011-04-20  9:27       ` Jonathan Cameron
2011-04-20  9:18     ` Jonathan Cameron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4DADAD72.9070701@cam.ac.uk \
    --to=jic23@cam.ac.uk \
    --cc=Michael.Hennerich@analog.com \
    --cc=linux-iio@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.