From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C72CBC678D4 for ; Thu, 2 Mar 2023 11:17:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=f+YkwFkdVCMQzWWIqDwWhXXfhH65JIV8mxDfuTXU7iE=; b=iNCuMI1yAw9Sx6 2Rb9ZMsChxOl0qoQBk/fvkDxoTnAhrGYOOi336rRX55QTQW8u64kiQrRgyhLB8LsClCMVNs4bZXLV YqXg2zLRBBnhaltBoG39+xDUuTDMjOumRfKLI9NUNKK+CfJuYF9AJTfGx0F5dY0KsSyStErrDuoTo Z2uXsi3QHJSktaUdV9/FjF0naeM4KRA7AQl5o0aMUMpygFdDMEwag6RZnujIgvE1uynWykqHRe/s1 BRMnqmPTeP/im1W7o9T5Tsb/H9huuUZBzlVhL3bkM3GICqDpySDftejKcFz33WNfOQ4xgdUoBqQna FPMsX/A6Ro/bHDhEPwYw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1pXguo-001sE3-FX; Thu, 02 Mar 2023 11:16:02 +0000 Received: from mx1.tq-group.com ([93.104.207.81]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1pXguk-001sCl-7N for linux-arm-kernel@lists.infradead.org; Thu, 02 Mar 2023 11:16:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tq-group.com; i=@tq-group.com; q=dns/txt; s=key1; t=1677755758; x=1709291758; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=oiWy5k/6xFwP/r2lA3U76koHVT0d5qDWSMq2/Bg0+Gc=; b=EUxnlqpsOZe9igt7AJs2oCv9J+j1gUImiDBVaFPrGWtaAu7jCFP/moee BnSdhGaCVhGVymfTTsPNqYSFjJ1JW+ZtzdTKo8HRInCu7QTfoJIdRAEHu NqCVwcspScYiKZIVkhq+0xzfwQHFgiZgPCzk5eMmMYyQ4EARpWcEe1mtV fnxG/hEByDHMfSMsRcbyHzWDvc8+4lG9mLtckZMWQeN7Bhhy6ZvXYSfxL HxNWSevKQ6yJVgojORvZtP5gBeTPU72MnkydVSzo3h7aZmq5nmueFyft2 aApqR4WLy2Tk6+TDp3G4cVth1SihbpYLZIv3USzsulZyD5ddeFgPi0nO+ Q==; X-IronPort-AV: E=Sophos;i="5.98,227,1673910000"; d="scan'208";a="29422641" Received: from unknown (HELO tq-pgp-pr1.tq-net.de) ([192.168.6.15]) by mx1-pgp.tq-group.com with ESMTP; 02 Mar 2023 12:15:53 +0100 Received: from mx1.tq-group.com ([192.168.6.7]) by tq-pgp-pr1.tq-net.de (PGP Universal service); Thu, 02 Mar 2023 12:15:53 +0100 X-PGP-Universal: processed; by tq-pgp-pr1.tq-net.de on Thu, 02 Mar 2023 12:15:53 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tq-group.com; i=@tq-group.com; q=dns/txt; s=key1; t=1677755753; x=1709291753; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=oiWy5k/6xFwP/r2lA3U76koHVT0d5qDWSMq2/Bg0+Gc=; b=Hk4amG/syeQsOOFYdpKkDNSAB+za6K8HhwX9sy30UUV4QCMT8XuLkuF5 eN5bdcxtsCE9Ueksq+YuELWwHAbFFo2NxRyWOk9kFmSYCiNZkaJ2UMvo9 TH0Wj2ekHcFB4vjk4I0JvFd8Mnbtatyhb2cjqhKXDU8O9GIAFof2dj+j/ x0vPb/MX0iA1Jc+Py+Lk4GONcucy/57yj0fWDJmkxR0S1cF07IN/JcF+W zqbryUaFWzSuvvfVX3OCEAjJvNhmaP6Cm5+HkSNsT7vWbqmSBDhWfNtxT pKMf4cN92ii1UiYkcLnel/TEzhs+G3WwI39UPBY5aQpnFnFtj3bpDxqEx w==; X-IronPort-AV: E=Sophos;i="5.98,227,1673910000"; d="scan'208";a="29422640" Received: from vtuxmail01.tq-net.de ([10.115.0.20]) by mx1.tq-group.com with ESMTP; 02 Mar 2023 12:15:53 +0100 Received: from steina-w.localnet (unknown [10.123.53.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by vtuxmail01.tq-net.de (Postfix) with ESMTPSA id 21C64280056; Thu, 2 Mar 2023 12:15:53 +0100 (CET) From: Alexander Stein To: NXP Linux Team , Emanuele Ghidoli Cc: Pengutronix Kernel Team , linux-i2c@vger.kernel.org, linux-arm-kernel@lists.infradead.org, Dong Aisheng , Shawn Guo , Sascha Hauer , Fabio Estevam Subject: Re: [PATCH 1/2] i2c: imx-lpi2c: clean rx/tx buffers upon new message Date: Thu, 02 Mar 2023 12:15:51 +0100 Message-ID: <2672031.mvXUDI8C0e@steina-w> Organization: TQ-Systems GmbH In-Reply-To: <4d06ffe5-3ff6-241e-b35b-794c075f288e@gmail.com> References: <20230130153247.445027-1-alexander.stein@ew.tq-group.com> <4d06ffe5-3ff6-241e-b35b-794c075f288e@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230302_031558_685976_D32668D2 X-CRM114-Status: GOOD ( 31.72 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi Emanuele, Am Donnerstag, 2. M=E4rz 2023, 12:06:18 CET schrieb Emanuele Ghidoli: > On 30/01/2023 16:32, Alexander Stein wrote: > > When start sending a new message clear the Rx & Tx buffer pointers in > > order to avoid using stale pointers. > > = > > Signed-off-by: Alexander Stein > > --- > > I noticed an ambigous stack corruption once my rtc-pcf85063 driver prob= es. > > = > > [ 2.695684] Kernel panic - not syncing: stack-protector: Kernel stack > > is corrupted in: pcf85063_rtc_read_time+0x10/0x100 [ 2.706669] CPU: 1 > > PID: 63 Comm: kworker/u8:2 Not tainted 6.2.0-rc6-next-20230130+ #1185 > > ca067559321ae817c063baccdba80d328f10f73 [ 2.718331] Hardware name: > > TQ-Systems i.MX8QXP TQMa8XQP on MBa8Xx (DT) [ 2.724866] Workqueue: > > events_unbound deferred_probe_work_func > > [ 2.730712] Call trace: > > [ 2.733161] dump_backtrace+0x9c/0x11c > > [ 2.736914] show_stack+0x14/0x1c > > [ 2.740232] dump_stack_lvl+0x5c/0x78 > > [ 2.743907] dump_stack+0x14/0x1c > > [ 2.747225] panic+0x34c/0x39c > > [ 2.750283] __ktime_get_real_seconds+0x0/0xc > > [ 2.754653] pcf85063_ioctl+0x0/0xf0 > > [ 2.758232] __rtc_read_time+0x44/0x114 > > [ 2.762081] __rtc_read_alarm+0x258/0x460 > > [ 2.766095] __devm_rtc_register_device+0x174/0x2b4 > > [ 2.770986] pcf85063_probe+0x258/0x4d4 > > [ 2.774825] i2c_device_probe+0x100/0x33c > > = > > The backtrace did not indicate the actual cause of it. Checking the code > > the RTC driver seemed to be ok, so it has to be in the i2c bus driver. = At > > some point I noticed that I see both Rx and Tx interrupts at the same > > time, which is odd. Also both rx_buf and tx_buf was set simultaneously. > > Clearly a bug to me. > > Clearing the buffer pointers upon each new i2c message triggered a NULL > > pointer dereference: > > = > > [ 2.694923] Unable to handle kernel NULL pointer dereference at virt= ual > > address 0000000000000001 [ 2.703730] Mem abort info: > > [ 2.706525] ESR =3D 0x0000000096000004 > > [ 2.710278] EC =3D 0x25: DABT (current EL), IL =3D 32 bits > > [ 2.715595] SET =3D 0, FnV =3D 0 > > [ 2.718653] EA =3D 0, S1PTW =3D 0 > > [ 2.721798] FSC =3D 0x04: level 0 translation fault > > [ 2.726680] Data abort info: > > [ 2.729556] ISV =3D 0, ISS =3D 0x00000004 > > [ 2.733387] CM =3D 0, WnR =3D 0 > > [ 2.736358] [0000000000000001] user address but active_mm is swapper > > [ 2.742719] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP > > [ 2.748990] Modules linked in: > > [ 2.752051] CPU: 0 PID: 0 Comm: swapper/0 Not tainted > > 6.2.0-rc6-next-20230130+ #1184 44a8abebca6bfabc93e20ac52bce 47da7f92cec1 > > [ 2.763368] Hardware name: TQ-Systems i.MX8QXP TQMa8XQP on MBa8Xx (D= T) > > [ 2.769902] pstate: 800000c5 (Nzcv daIF -PAN -UAO -TCO -DIT -SSBS > > BTYPE=3D--) [ 2.776868] pc : lpi2c_imx_write_txfifo+0x44/0xb0 > > [ 2.781585] lr : lpi2c_imx_isr+0x60/0x8c > > [ 2.785512] sp : ffff800008003ef0 > > [ 2.788831] x29: ffff800008003ef0 x28: ffff8000099c1ec0 x27: > > 00000000bfe632c8 [ 2.795980] x26: 0000000000000000 x25: > > ffff800009b935ed x24: ffff800009a4d4c0 [ 2.803130] x23: > > ffff00000365e800 x22: 0000000000000128 x21: 0000000000000000 [ = > > 2.810280] x20: ffff0000033f4080 x19: 0000000003000103 x18: > > 0000000000000000 [ 2.817430] x17: ffff80003688a000 x16: > > ffff800008000000 x15: 0000000000000000 [ 2.824579] x14: > > 0000000000000000 x13: ffff8000099d1db8 x12: 0000000000000000 [ = > > 2.831729] x11: ffff800009503180 x10: 0000000000000a80 x9 : > > ffff8000099b3d20 [ 2.838879] x8 : ffff8000099c29a0 x7 : > > 00000000000000c0 x6 : ffff000002838028 [ 2.846029] x5 : > > 0000000000000002 x4 : 0000000000000000 x3 : 0000000000000000 [ = > > 2.849626] imx-scu system-controller: RPC send msg timeout > > [ 2.853178] x2 : ffff800009c88060 x1 : 0000000000000001 x0 : > > ffff0000033f4080 [ 2.858764] enet1: failed to power off resource 252 > > ret -110 > > [ 2.865897] Call trace: > > [ 2.865901] lpi2c_imx_write_txfifo+0x44/0xb0 > > [ 2.878443] __handle_irq_event_percpu+0x5c/0x188 > > [ 2.883151] handle_irq_event+0x48/0xb0 > > = > > $ ./scripts/faddr2line build_arm64/vmlinux > > lpi2c_imx_write_txfifo+0x44/0xb0 > > lpi2c_imx_write_txfifo+0x44/0xb0: > > lpi2c_imx_write_txfifo at drivers/i2c/busses/i2c-imx-lpi2c.c:364 > > = > > This now clearly pinpoints the wrong access which previously corrupted = the > > stack. The error leading to this wrong access is addressed in the > > following patch. > > = > > drivers/i2c/busses/i2c-imx-lpi2c.c | 2 ++ > > 1 file changed, 2 insertions(+) > > = > > diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c > > b/drivers/i2c/busses/i2c-imx-lpi2c.c index 188f2a36d2fd..c6d0225246e6 > > 100644 > > --- a/drivers/i2c/busses/i2c-imx-lpi2c.c > > +++ b/drivers/i2c/busses/i2c-imx-lpi2c.c > > @@ -463,6 +463,8 @@ static int lpi2c_imx_xfer(struct i2c_adapter *adapt= er, > > = > > if (num =3D=3D 1 && msgs[0].len =3D=3D 0) > > = > > goto stop; > > = > > + lpi2c_imx->rx_buf =3D NULL; > > + lpi2c_imx->tx_buf =3D NULL; > > = > > lpi2c_imx->delivered =3D 0; > > lpi2c_imx->msglen =3D msgs[i].len; > > init_completion(&lpi2c_imx->complete); > = > Hello, > I have same problem with rtc-ds1307 driver and NXP imx8x (using > ic2-imx-lpi2c.c bus driver). I do not have the full stack trace but I'm > sure is very similar: > [ 10.750015] Kernel panic - not syncing: stack-protector: Kernel stack = is > corrupted in: ds1307_get_time+0x2a4/0x2c4 [rtc_ds1307] > = > Your patches are fixing this too and they seem good to me. > About the [2/2] patch your approach sound better to me than the downstream > approach. > = > Emanuele Ghidoli Thanks for the feedback. Could you provide then a Tested-by tag? Best regards, Alexander -- = TQ-Systems GmbH | M=FChlstra=DFe 2, Gut Delling | 82229 Seefeld, Germany Amtsgericht M=FCnchen, HRB 105018 Gesch=E4ftsf=FChrer: Detlef Schneider, R=FCdiger Stahl, Stefan Schneider http://www.tq-group.com/ _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel