From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ppsw-41.csi.cam.ac.uk ([131.111.8.141]:43714 "EHLO ppsw-41.csi.cam.ac.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757667Ab2DLUVg (ORCPT ); Thu, 12 Apr 2012 16:21:36 -0400 Message-ID: <4F87394F.8080001@cam.ac.uk> Date: Thu, 12 Apr 2012 21:21:35 +0100 From: Jonathan Cameron MIME-Version: 1.0 To: Marek Belisko CC: gregkh@linuxfoundation.org, linux-iio@vger.kernel.org, devel@driverdev.osuosl.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH] staging: iio: hmc5843: Fix crash in probe function. References: <1334260083-23479-1-git-send-email-marek.belisko@open-nandra.com> In-Reply-To: <1334260083-23479-1-git-send-email-marek.belisko@open-nandra.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-iio-owner@vger.kernel.org List-Id: linux-iio@vger.kernel.org On 04/12/2012 08:48 PM, Marek Belisko wrote: > Fix crash after issuing: > echo hmc5843 0x1e > /sys/class/i2c-dev/i2c-2/device/new_device > > [ 37.180999] device: '2-001e': device_add > [ 37.188293] bus: 'i2c': add device 2-001e > [ 37.194549] PM: Adding info for i2c:2-001e > [ 37.200958] bus: 'i2c': driver_probe_device: matched device 2-001e with driver hmc5843 > [ 37.210815] bus: 'i2c': really_probe: probing driver hmc5843 with device 2-001e > [ 37.224884] HMC5843 initialized > [ 37.228759] ------------[ cut here ]------------ > [ 37.233612] kernel BUG at mm/slab.c:505! > [ 37.237701] Internal error: Oops - BUG: 0 [#1] PREEMPT > [ 37.243103] Modules linked in: > [ 37.246337] CPU: 0 Not tainted (3.3.1-gta04+ #28) > [ 37.251647] PC is at kfree+0x84/0x144 > [ 37.255493] LR is at kfree+0x20/0x144 > [ 37.259338] pc : [] lr : [] psr: 40000093 > [ 37.259368] sp : de249cd8 ip : 0000000c fp : 00000090 > [ 37.271362] r10: 0000000a r9 : de229eac r8 : c0236274 > [ 37.276855] r7 : c09d6490 r6 : a0000013 r5 : de229c00 r4 : de229c10 > [ 37.283691] r3 : c0f00218 r2 : 00000400 r1 : c0eea000 r0 : c00b4028 > [ 37.290527] Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user > [ 37.298095] Control: 10c5387d Table: 9e1d0019 DAC: 00000015 > [ 37.304107] Process sh (pid: 91, stack limit = 0xde2482f0) > [ 37.309844] Stack: (0xde249cd8 to 0xde24a000) > [ 37.314422] 9cc0: de229c10 de229c00 > [ 37.322998] 9ce0: de229c10 ffffffea 00000005 c0236274 de140a80 c00b4798 dec00080 de140a80 > [ 37.331573] 9d00: c032f37c dec00080 000080d0 00000001 de229c00 de229c10 c048d578 00000005 > [ 37.340148] 9d20: de229eac 0000000a 00000090 c032fa40 00000001 00000000 00000001 de229c10 > [ 37.348724] 9d40: de229eac 00000029 c075b558 00000001 00000003 00000004 de229c10 c048d594 > [ 37.357299] 9d60: 00000000 60000013 00000018 205b0007 37332020 3432322e 5d343838 c0060020 > [ 37.365905] 9d80: de251600 00000001 00000000 de251600 00000001 c0065a84 de229c00 de229c48 > [ 37.374481] 9da0: 00000006 0048d62c de229c38 de229c00 de229c00 de1f6c00 de1f6c20 00000001 > [ 37.383056] 9dc0: 00000000 c048d62c 00000000 de229c00 de229c00 de1f6c00 de1f6c20 00000001 > [ 37.391632] 9de0: 00000000 c048d62c 00000000 c0330164 00000000 de1f6c20 c048d62c de1f6c00 > [ 37.400207] 9e00: c0330078 de1f6c04 c078d714 de189b58 00000000 c02ccfd8 de1f6c20 c0795f40 > [ 37.408782] 9e20: c0238330 00000000 00000000 c02381a8 de1b9fc0 de1f6c20 de1f6c20 de249e48 > [ 37.417358] 9e40: c0238330 c0236bb0 decdbed8 de7d0f14 de1f6c20 de1f6c20 de1f6c54 de1f6c20 > [ 37.425933] 9e60: 00000000 c0238030 de1f6c20 c078d7bc de1f6c20 c02377ec de1f6c20 de1f6c28 > [ 37.434509] 9e80: dee64cb0 c0236138 c047c554 de189b58 00000000 c004b45c de1f6c20 de1f6cd8 > [ 37.443084] 9ea0: c0edfa6c de1f6c00 dee64c68 de1f6c04 de1f6c20 dee64cb8 c047c554 de189b58 > [ 37.451690] 9ec0: 00000000 c02cd634 dee64c68 de249ef4 de23b008 dee64cb0 0000000d de23b000 > [ 37.460266] 9ee0: de23b007 c02cd78c 00000002 00000000 00000000 35636d68 00333438 00000000 > [ 37.468841] 9f00: 00000000 00000000 001e0000 00000000 00000000 00000000 00000000 0a10cec0 > [ 37.477416] 9f20: 00000002 de249f80 0000000d dee62990 de189b40 c0234d88 0000000d c010c354 > [ 37.485992] 9f40: 0000000d de210f28 000acc88 de249f80 0000000d de248000 00000000 c00b7bf8 > [ 37.494567] 9f60: de210f28 000acc88 de210f28 000acc88 00000000 00000000 0000000d c00b7ed8 > [ 37.503143] 9f80: 00000000 00000000 0000000d 00000000 0007fa28 0000000d 000acc88 00000004 > [ 37.511718] 9fa0: c000e544 c000e380 0007fa28 0000000d 00000001 000acc88 0000000d 00000000 > [ 37.520294] 9fc0: 0007fa28 0000000d 000acc88 00000004 00000001 00000020 00000002 00000000 > [ 37.528869] 9fe0: 00000000 beab8624 0000ea05 b6eaebac 600d0010 00000001 00000000 00000000 > [ 37.537475] [] (kfree+0x84/0x144) from [] (device_add+0x530/0x57c) > [ 37.545806] [] (device_add+0x530/0x57c) from [] (iio_device_register+0x8c8/0x990) > [ 37.555480] [] (iio_device_register+0x8c8/0x990) from [] (hmc5843_probe+0xec/0x114) > [ 37.565338] [] (hmc5843_probe+0xec/0x114) from [] (i2c_device_probe+0xc4/0xf8) > [ 37.574737] [] (i2c_device_probe+0xc4/0xf8) from [] (driver_probe_device+0x118/0x218) > [ 37.584777] [] (driver_probe_device+0x118/0x218) from [] (bus_for_each_drv+0x4c/0x84) > [ 37.594818] [] (bus_for_each_drv+0x4c/0x84) from [] (device_attach+0x78/0xa4) > [ 37.604125] [] (device_attach+0x78/0xa4) from [] (bus_probe_device+0x28/0x9c) > [ 37.613433] [] (bus_probe_device+0x28/0x9c) from [] (device_add+0x3f4/0x57c) > [ 37.622650] [] (device_add+0x3f4/0x57c) from [] (i2c_new_device+0xf8/0x19c) > [ 37.631805] [] (i2c_new_device+0xf8/0x19c) from [] (i2c_sysfs_new_device+0xb4/0x130) > [ 37.641754] [] (i2c_sysfs_new_device+0xb4/0x130) from [] (dev_attr_store+0x18/0x24) > [ 37.651611] [] (dev_attr_store+0x18/0x24) from [] (sysfs_write_file+0x10c/0x140) > [ 37.661193] [] (sysfs_write_file+0x10c/0x140) from [] (vfs_write+0xb0/0x178) > [ 37.670410] [] (vfs_write+0xb0/0x178) from [] (sys_write+0x3c/0x68) > [ 37.678833] [] (sys_write+0x3c/0x68) from [] (ret_fast_syscall+0x0/0x3c) > [ 37.687683] Code: 1593301c e5932000 e3120080 1a000000 (e7f001f2) > [ 37.700775] ---[ end trace aaf805debdb69390 ]--- > > Client data was assigned to iio_dev structure in probe but in > hmc5843_init_client function casted to private driver data structure which > is wrong. Possibly calling mutex_init(&data->lock); corrupt data > which the lead to above crash. Good bug report followed by a good fix. You might conveivably want to prune that commit message to just a few lines of the trace though! Thanks. > > Signed-off-by: Marek Belisko Acked-by: Jonathan Cameron > Cc: stable@vger.kernel.org > --- > drivers/staging/iio/magnetometer/hmc5843.c | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/drivers/staging/iio/magnetometer/hmc5843.c b/drivers/staging/iio/magnetometer/hmc5843.c > index 91dd3da..e00b416 100644 > --- a/drivers/staging/iio/magnetometer/hmc5843.c > +++ b/drivers/staging/iio/magnetometer/hmc5843.c > @@ -521,7 +521,9 @@ static int hmc5843_detect(struct i2c_client *client, > /* Called when we have found a new HMC5843. */ > static void hmc5843_init_client(struct i2c_client *client) > { > - struct hmc5843_data *data = i2c_get_clientdata(client); > + struct iio_dev *indio_dev = i2c_get_clientdata(client); > + struct hmc5843_data *data = iio_priv(indio_dev); > + > hmc5843_set_meas_conf(client, data->meas_conf); > hmc5843_set_rate(client, data->rate); > hmc5843_configure(client, data->operating_mode);