From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
To: Kamal Mostafa <kamal@canonical.com>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com, Vinod Koul <vinod.koul@intel.com>
Subject: Re: [PATCH 3.13 099/105] dmaengine: pl330: Fix NULL pointer dereference on probe failure
Date: Tue, 28 Oct 2014 08:58:35 +0100 [thread overview]
Message-ID: <1414483115.24949.2.camel@AMDC1943> (raw)
In-Reply-To: <1414436240-13879-100-git-send-email-kamal@canonical.com>
On pon, 2014-10-27 at 11:57 -0700, Kamal Mostafa wrote:
> 3.13.11.10 -stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
>
> commit 0f5ebabdd03b471da1906f7edddc61ceb35cee02 upstream.
>
> If dma_async_device_register() returns error and probe should clean up
> and return error, a NULL pointer exception happens because of
> dereference of not allocated channel thread:
Hi,
Please drop this patch from stable-3.13. This is fix only for 3.17. I
made mistake when searching for commit introducing this bug.
Actually this is fix for c26939e5204c ("dmaengine: pl330: Remove
pl330_chan_ctrl()") which was introduced in 3.17.
Best regards,
Krzysztof
>
> Dmesg log (from early printk):
> dma-pl330 12680000.pdma: unable to register DMAC
> DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null)
> Unable to handle kernel NULL pointer dereference at virtual address 0000000c
> pgd = c0004000
> [0000000c] *pgd=00000000
> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> Modules linked in:
> CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427
> task: ee80a800 ti: ee888000 task.ti: ee888000
> PC is at _stop+0x8/0x2c8
> LR is at pl330_control+0x70/0x2e8
> pc : [<c0205dc8>] lr : [<c020623c>] psr: 60000193
> sp : ee889df8 ip : 00000002 fp : 00000000
> r10: eeac4014 r9 : ee0e62bc r8 : 00000000
> r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000
> r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000
> Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel
> Control: 10c5387d Table: 4000404a DAC: 00000015
> Process swapper/0 (pid: 1, stack limit = 0xee888240)
> Stack: (0xee889df8 to 0xee88a000)
> 9de0: 00000002 eeac4000
> 9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c
> 9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020
> 9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8
> 9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c
> 9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84
> 9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4
> 9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84
> 9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8
> 9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113
> 9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c
> 9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006
> 9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006
> 9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000
> 9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000
> 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0
> [<c0205dc8>] (_stop) from [<c020623c>] (pl330_control+0x70/0x2e8)
> [<c020623c>] (pl330_control) from [<c0208374>] (pl330_probe+0x594/0x75c)
> [<c0208374>] (pl330_probe) from [<c0203b3c>] (amba_probe+0xb8/0x120)
> [<c0203b3c>] (amba_probe) from [<c023f890>] (driver_probe_device+0x10c/0x22c)
> [<c023f890>] (driver_probe_device) from [<c023fa3c>] (__driver_attach+0x8c/0x90)
> [<c023fa3c>] (__driver_attach) from [<c023e0d4>] (bus_for_each_dev+0x54/0x88)
> [<c023e0d4>] (bus_for_each_dev) from [<c023f094>] (bus_add_driver+0xd4/0x1d0)
> [<c023f094>] (bus_add_driver) from [<c0240064>] (driver_register+0x78/0xf4)
> [<c0240064>] (driver_register) from [<c0008964>] (do_one_initcall+0x80/0x1d0)
> [<c0008964>] (do_one_initcall) from [<c059bcb4>] (kernel_init_freeable+0x108/0x1d4)
> [<c059bcb4>] (kernel_init_freeable) from [<c0400924>] (kernel_init+0x8/0xec)
> [<c0400924>] (kernel_init) from [<c000e7b8>] (ret_from_fork+0x14/0x3c)
> Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c)
> ---[ end trace c94b2f4f38dff3bf ]---
>
> This happens because the necessary resources were not yet allocated - no
> call to pl330_alloc_chan_resources().
>
> Terminate the thread and free channel resource only if channel thread is not NULL.
>
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
> Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible")
> Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
> Signed-off-by: Vinod Koul <vinod.koul@intel.com>
> Signed-off-by: Kamal Mostafa <kamal@canonical.com>
> ---
> drivers/dma/pl330.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
> index 536632f..df7fabb 100644
> --- a/drivers/dma/pl330.c
> +++ b/drivers/dma/pl330.c
> @@ -3047,8 +3047,10 @@ probe_err3:
> list_del(&pch->chan.device_node);
>
> /* Flush the channel */
> - pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> - pl330_free_chan_resources(&pch->chan);
> + if (pch->thread) {
> + pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0);
> + pl330_free_chan_resources(&pch->chan);
> + }
> }
> probe_err2:
> pl330_del(pi);
next prev parent reply other threads:[~2014-10-28 7:58 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-27 18:55 [3.13.y.z extended stable] Linux 3.13.11.10 stable review Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 001/105] Bluetooth: Fix HCI H5 corrupted ack value Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 002/105] dmaengine: fix xor sources continuation Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 003/105] [media] siano: add support for PCTV 77e Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 004/105] [media] em28xx-v4l: give back all active video buffers to the vb2 core properly on streaming stop Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 005/105] [media] em28xx-v4l: fix video buffer field order reporting in progressive mode Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 006/105] crypto: caam - fix addressing of struct member Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 007/105] x86, fpu: shift drop_init_fpu() from save_xstate_sig() to handle_signal() Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 008/105] x86, fpu: __restore_xstate_sig()->math_state_restore() needs preempt_disable() Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 009/105] KVM: do not bias the generation number in kvm_current_mmio_generation Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 010/105] kvm: fix potentially corrupt mmio cache Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 011/105] kvm: x86: fix stale mmio cache bug Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 012/105] UBIFS: fix free log space calculation Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 013/105] Bluetooth: Fix issue with USB suspend in btusb driver Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 014/105] mmc: rtsx_pci_sdmmc: fix incorrect last byte in R2 response Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 015/105] KVM: s390: unintended fallthrough for external call Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 016/105] UBI: add missing kmem_cache_free() in process_pool_aeb error path Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 017/105] PCI: Increase IBM ipr SAS Crocodile BARs to at least system page size Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 018/105] drbd: compute the end before rb_insert_augmented() Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 019/105] Bluetooth: Fix setting correct security level when initiating SMP Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 020/105] mmc: tmio: prevent endless loop in tmio_mmc_set_clock() Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 021/105] iwlwifi: Add missing PCI IDs for the 7260 series Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 022/105] [media] media: usb: uvc: add a quirk for Dell XPS M1330 webcam Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 023/105] Revert "percpu: free percpu allocation info for uniprocessor system" Kamal Mostafa
2014-10-27 18:55 ` [PATCH 3.13 024/105] USB: serial: cp210x: added Ketra N1 wireless interface support Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 025/105] USB: cp210x: add support for Seluxit USB dongle Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 026/105] PCI: Generate uppercase hex for modalias interface class Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 027/105] PCI: mvebu: Fix uninitialized variable in mvebu_get_tgt_attr() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 028/105] xfs: ensure WB_SYNC_ALL writeback handles partial pages correctly Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 029/105] [media] v4l2-common: fix overflow in v4l_bound_align_image() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 030/105] USB: Add device quirk for ASUS T100 Base Station keyboard Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 031/105] mei: bus: fix possible boundaries violation Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 032/105] firmware_class: make sure fw requests contain a name Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 033/105] Drivers: hv: vmbus: Cleanup vmbus_post_msg() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 034/105] Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 035/105] Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 036/105] Drivers: hv: vmbus: Fix a bug in vmbus_open() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 037/105] Drivers: hv: vmbus: Cleanup vmbus_close_internal() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 038/105] Drivers: hv: vmbus: Cleanup hv_post_message() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 039/105] spi: dw-mid: respect 8 bit mode Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 040/105] spi: dw-mid: terminate ongoing transfers at exit Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 041/105] kvm: don't take vcpu mutex for obviously invalid vcpu ioctls Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 042/105] x86/intel/quark: Switch off CR4.PGE so TLB flush uses CR3 instead Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 043/105] ARM: at91: fix at91sam9263ek DT mmc pinmuxing settings Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 044/105] ARM: at91/PMC: don't forget to write PMC_PCDR register to disable clocks Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 045/105] nfs: fix duplicate proc entries Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 046/105] Fixing lease renewal Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 047/105] lockd: Try to reconnect if statd has moved Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 048/105] mptfusion: enable no_write_same for vmware scsi disks Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 049/105] qla2xxx: Use correct offset to req-q-out for reserve calculation Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 050/105] mfd: rtsx_pcr: Fix MSI enable error handling Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 051/105] power: charger-manager: Fix NULL pointer exception with missing cm-fuel-gauge Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 052/105] rt2800: correct BBP1_TX_POWER_CTRL mask Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 053/105] regmap: fix NULL pointer dereference in _regmap_write/read Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 054/105] Documentation: lzo: document part of the encoding Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 055/105] Revert "lzo: properly check for overruns" Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 056/105] lzo: check for length overrun in variable length encoding Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 057/105] regmap: debugfs: fix possbile NULL pointer dereference Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 058/105] regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 059/105] net_dma: simple removal Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 060/105] libata-sff: Fix controllers with no ctl port Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 061/105] NFSv4: Fix lock recovery when CREATE_SESSION/SETCLIENTID_CONFIRM fails Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 062/105] NFSv4: fix open/lock state recovery error handling Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 063/105] tty: omap-serial: fix division by zero Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 064/105] serial: 8250: Add Quark X1000 to 8250_pci.c Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 065/105] missing data dependency barrier in prepend_name() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 066/105] be2iscsi: check ip buffer before copying Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 067/105] framebuffer: fix border color Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 068/105] framebuffer: fix screen corruption when copying Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 069/105] mpc85xx_edac: Make L2 interrupt shared too Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 070/105] NFSv4.1: Fix an NFSv4.1 state renewal regression Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 071/105] xen-blkback: fix leak on grant map error path Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 072/105] m68k: Disable/restore interrupts in hwreg_present()/hwreg_write() Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 073/105] ASoC: tlv320aic3x: fix PLL D configuration Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 074/105] dm bufio: update last_accessed when relinking a buffer Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 075/105] dm bufio: when done scanning return from __scan immediately Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 076/105] dm log userspace: fix memory leak in dm_ulog_tfr_init failure path Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 077/105] ecryptfs: avoid to access NULL pointer when write metadata in xattr Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 078/105] x86_64, entry: Filter RFLAGS.NT on entry from userspace Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 079/105] ASoC: soc-dapm: fix use after free Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 080/105] pata_serverworks: disable 64-KB DMA transfers on Broadcom OSB4 IDE Controller Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 081/105] drm/ast: Fix HW cursor image Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 082/105] x86: Reject x32 executables if x32 ABI not supported Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 083/105] [jffs2] kill wbuf_queued/wbuf_dwork_lock Kamal Mostafa
2014-10-27 18:56 ` [PATCH 3.13 084/105] fs: Fix theoretical division by 0 in super_cache_scan() Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 085/105] fs: make cont_expand_zero interruptible Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 086/105] fix misuses of f_count() in ppp and netlink Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 087/105] block: fix alignment_offset math that assumes io_min is a power-of-2 Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 088/105] fanotify: enable close-on-exec on events' fd when requested in fanotify_init() Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 089/105] mm: clear __GFP_FS when PF_MEMALLOC_NOIO is set Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 090/105] Input: synaptics - gate forcepad support by DMI check Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 091/105] Input: i8042 - add noloop quirk for Asus X750LN Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 092/105] um: ubd: Fix for processes stuck in D state forever Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 093/105] kernel: add support for gcc 5 Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 094/105] ALSA: emu10k1: Fix deadlock in synth voice lookup Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 095/105] libceph: ceph-msgr workqueue needs a resque worker Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 096/105] mnt: Prevent pivot_root from creating a loop in the mount tree Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 097/105] modules, lock around setting of MODULE_STATE_UNFORMED Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 098/105] virtio_pci: fix virtio spec compliance on restore Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 099/105] dmaengine: pl330: Fix NULL pointer dereference on probe failure Kamal Mostafa
2014-10-28 7:58 ` Krzysztof Kozlowski [this message]
2014-10-28 17:10 ` Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 100/105] dmaengine: pl330: Fix NULL pointer dereference on driver unbind Kamal Mostafa
2014-10-28 7:58 ` Krzysztof Kozlowski
2014-10-28 17:10 ` Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 101/105] selinux: fix inode security list corruption Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 102/105] pstore: Fix duplicate {console,ftrace}-efi entries Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 103/105] futex: Ensure get_futex_key_refs() always implies a barrier Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 104/105] x86,kvm,vmx: Preserve CR4 across VM entry Kamal Mostafa
2014-10-27 18:57 ` [PATCH 3.13 105/105] crypto: caam - remove duplicated sg copy functions Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1414483115.24949.2.camel@AMDC1943 \
--to=k.kozlowski@samsung.com \
--cc=kamal@canonical.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vinod.koul@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).