* [PATCH 1/4] spi/mpc52xx: Fix error handling in probe function
@ 2012-08-18 16:29 Guenter Roeck
[not found] ` <1345307364-4914-1-git-send-email-linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Guenter Roeck @ 2012-08-18 16:29 UTC (permalink / raw)
To: spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
Cc: Mark Brown, Guenter Roeck
The call to spi_master_put() is needed to free device memory. It must be called
after spi_alloc_master, and must only be called after the device memory is no
longer used.
Signed-off-by: Guenter Roeck <linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
---
drivers/spi/spi-mpc52xx.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index cb3a383..a749589 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -454,7 +454,7 @@ static int __devinit mpc52xx_spi_probe(struct platform_device *op)
GFP_KERNEL);
if (!ms->gpio_cs) {
rc = -ENOMEM;
- goto err_alloc;
+ goto err_alloc_gpio;
}
for (i = 0; i < ms->gpio_cs_count; i++) {
@@ -514,12 +514,13 @@ static int __devinit mpc52xx_spi_probe(struct platform_device *op)
err_register:
dev_err(&ms->master->dev, "initialization failed\n");
- spi_master_put(master);
err_gpio:
while (i-- > 0)
gpio_free(ms->gpio_cs[i]);
kfree(ms->gpio_cs);
+ err_alloc_gpio:
+ spi_master_put(master);
err_alloc:
err_init:
iounmap(regs);
--
1.7.9.7
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/4] spi/mpc52xx: Fix device remove function
[not found] ` <1345307364-4914-1-git-send-email-linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
@ 2012-08-18 16:29 ` Guenter Roeck
2012-08-18 16:29 ` [PATCH 3/4] spi/mpc52xx-psc: Avoid access to freed memory in " Guenter Roeck
2012-08-18 16:29 ` [PATCH 4/4] spi/mpc512x-psc: " Guenter Roeck
2 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2012-08-18 16:29 UTC (permalink / raw)
To: spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
Cc: Mark Brown, Guenter Roeck
The call sequence spi_alloc_master/spi_register_master/spi_unregister_master is
complete; it reduces the device reference count to zero, which results in
device memory being freed. An extra call to spi_master_put is unnecessary
and results in an access to free memory.
At the same time, since the call to spi_unregister_master results in device
memory being freed, it must no longer be accessed afterwards.
To fix both problems, call spi_master_get to get an extra reference to the
device, and call spi_master_put only after the last access to device data.
Signed-off-by: Guenter Roeck <linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
---
drivers/spi/spi-mpc52xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index a749589..0454106 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -529,7 +529,7 @@ static int __devinit mpc52xx_spi_probe(struct platform_device *op)
static int __devexit mpc52xx_spi_remove(struct platform_device *op)
{
- struct spi_master *master = dev_get_drvdata(&op->dev);
+ struct spi_master *master = spi_master_get(dev_get_drvdata(&op->dev));
struct mpc52xx_spi *ms = spi_master_get_devdata(master);
int i;
@@ -541,8 +541,8 @@ static int __devexit mpc52xx_spi_remove(struct platform_device *op)
kfree(ms->gpio_cs);
spi_unregister_master(master);
- spi_master_put(master);
iounmap(ms->regs);
+ spi_master_put(master);
return 0;
}
--
1.7.9.7
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/4] spi/mpc52xx-psc: Avoid access to freed memory in device remove function
[not found] ` <1345307364-4914-1-git-send-email-linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
2012-08-18 16:29 ` [PATCH 2/4] spi/mpc52xx: Fix device remove function Guenter Roeck
@ 2012-08-18 16:29 ` Guenter Roeck
2012-08-18 16:29 ` [PATCH 4/4] spi/mpc512x-psc: " Guenter Roeck
2 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2012-08-18 16:29 UTC (permalink / raw)
To: spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
Cc: Mark Brown, Guenter Roeck
The call to spi_unregister_master() in the device remove function frees device
memory, and with it any device local data. However, device local data is still
accessed after the call to spi_unregister_master().
Acquire a reference to the SPI master device and release it after cleanup is
complete to solve the problem.
Signed-off-by: Guenter Roeck <linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
---
drivers/spi/spi-mpc52xx-psc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-mpc52xx-psc.c b/drivers/spi/spi-mpc52xx-psc.c
index 6604715..bd47d26 100644
--- a/drivers/spi/spi-mpc52xx-psc.c
+++ b/drivers/spi/spi-mpc52xx-psc.c
@@ -481,7 +481,7 @@ static int __devinit mpc52xx_psc_spi_of_probe(struct platform_device *op)
static int __devexit mpc52xx_psc_spi_of_remove(struct platform_device *op)
{
- struct spi_master *master = dev_get_drvdata(&op->dev);
+ struct spi_master *master = spi_master_get(dev_get_drvdata(&op->dev));
struct mpc52xx_psc_spi *mps = spi_master_get_devdata(master);
flush_workqueue(mps->workqueue);
@@ -490,6 +490,7 @@ static int __devexit mpc52xx_psc_spi_of_remove(struct platform_device *op)
free_irq(mps->irq, mps);
if (mps->psc)
iounmap(mps->psc);
+ spi_master_put(master);
return 0;
}
--
1.7.9.7
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 4/4] spi/mpc512x-psc: Avoid access to freed memory in device remove function
[not found] ` <1345307364-4914-1-git-send-email-linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
2012-08-18 16:29 ` [PATCH 2/4] spi/mpc52xx: Fix device remove function Guenter Roeck
2012-08-18 16:29 ` [PATCH 3/4] spi/mpc52xx-psc: Avoid access to freed memory in " Guenter Roeck
@ 2012-08-18 16:29 ` Guenter Roeck
2 siblings, 0 replies; 4+ messages in thread
From: Guenter Roeck @ 2012-08-18 16:29 UTC (permalink / raw)
To: spi-devel-general-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f
Cc: Mark Brown, Guenter Roeck
The call to spi_unregister_master() in the device remove function frees device
memory, and with it any device local data. However, device local data is still
accessed after the call to spi_unregister_master().
Acquire a reference to the SPI master device and release it after cleanup is
complete to solve the problem.
Signed-off-by: Guenter Roeck <linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
---
drivers/spi/spi-mpc512x-psc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-mpc512x-psc.c b/drivers/spi/spi-mpc512x-psc.c
index 4c63f77..0a1e39e 100644
--- a/drivers/spi/spi-mpc512x-psc.c
+++ b/drivers/spi/spi-mpc512x-psc.c
@@ -494,7 +494,7 @@ free_master:
static int __devexit mpc512x_psc_spi_do_remove(struct device *dev)
{
- struct spi_master *master = dev_get_drvdata(dev);
+ struct spi_master *master = spi_master_get(dev_get_drvdata(dev));
struct mpc512x_psc_spi *mps = spi_master_get_devdata(master);
flush_workqueue(mps->workqueue);
@@ -503,6 +503,7 @@ static int __devexit mpc512x_psc_spi_do_remove(struct device *dev)
free_irq(mps->irq, mps);
if (mps->psc)
iounmap(mps->psc);
+ spi_master_put(master);
return 0;
}
--
1.7.9.7
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-08-18 16:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-18 16:29 [PATCH 1/4] spi/mpc52xx: Fix error handling in probe function Guenter Roeck
[not found] ` <1345307364-4914-1-git-send-email-linux-0h96xk9xTtrk1uMJSBkQmQ@public.gmane.org>
2012-08-18 16:29 ` [PATCH 2/4] spi/mpc52xx: Fix device remove function Guenter Roeck
2012-08-18 16:29 ` [PATCH 3/4] spi/mpc52xx-psc: Avoid access to freed memory in " Guenter Roeck
2012-08-18 16:29 ` [PATCH 4/4] spi/mpc512x-psc: " Guenter Roeck
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).