From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Martin Oldfield <m@mjoldfield.com>,
Mika Westerberg <mika.westerberg@linux.intel.com>,
Robert Jarzmik <robert.jarzmik@free.fr>,
Mark Brown <broonie@kernel.org>
Subject: [PATCH 3.14 23/33] spi/pxa2xx: Clear cur_chip pointer before starting next message
Date: Tue, 3 Feb 2015 15:14:46 -0800 [thread overview]
Message-ID: <20150203231239.269710799@linuxfoundation.org> (raw)
In-Reply-To: <20150203231235.843316867@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit c957e8f084e0d21febcd6b8a0ea9631eccc92f36 upstream.
Once the current message is finished, the driver notifies SPI core about
this by calling spi_finalize_current_message(). This function queues next
message to be transferred. If there are more messages in the queue, it is
possible that the driver is asked to transfer the next message at this
point.
When spi_finalize_current_message() returns the driver clears the
drv_data->cur_chip pointer to NULL. The problem is that if the driver
already started the next message clearing drv_data->cur_chip will cause
NULL pointer dereference which crashes the kernel like:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
IP: [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
PGD 78bb8067 PUD 37712067 PMD 0
Oops: 0000 [#1] SMP
Modules linked in:
CPU: 1 PID: 11 Comm: ksoftirqd/1 Tainted: G O 3.18.0-rc4-mjo #5
Hardware name: Intel Corp. VALLEYVIEW B3 PLATFORM/NOTEBOOK, BIOS MNW2CRB1.X64.0071.R30.1408131301 08/13/2014
task: ffff880077f9f290 ti: ffff88007a820000 task.ti: ffff88007a820000
RIP: 0010:[<ffffffffa0022bc8>] [<ffffffffa0022bc8>] cs_deassert+0x18/0x70 [spi_pxa2xx_platform]
RSP: 0018:ffff88007a823d08 EFLAGS: 00010202
RAX: 0000000000000008 RBX: ffff8800379a4430 RCX: 0000000000000026
RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff8800379a4430
RBP: ffff88007a823d18 R08: 00000000ffffffff R09: 000000007a9bc65a
R10: 000000000000028f R11: 0000000000000005 R12: ffff880070123e98
R13: ffff880070123de8 R14: 0000000000000100 R15: ffffc90004888000
FS: 0000000000000000(0000) GS:ffff880079a80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000048 CR3: 000000007029b000 CR4: 00000000001007e0
Stack:
ffff88007a823d58 ffff8800379a4430 ffff88007a823d48 ffffffffa0022c89
0000000000000000 ffff8800379a4430 0000000000000000 0000000000000006
ffff88007a823da8 ffffffffa0023be0 ffff88007a823dd8 ffffffff81076204
Call Trace:
[<ffffffffa0022c89>] giveback+0x69/0xa0 [spi_pxa2xx_platform]
[<ffffffffa0023be0>] pump_transfers+0x710/0x740 [spi_pxa2xx_platform]
[<ffffffff81076204>] ? pick_next_task_fair+0x744/0x830
[<ffffffff81049679>] tasklet_action+0xa9/0xe0
[<ffffffff81049a0e>] __do_softirq+0xee/0x280
[<ffffffff81049bc0>] run_ksoftirqd+0x20/0x40
[<ffffffff810646df>] smpboot_thread_fn+0xff/0x1b0
[<ffffffff810645e0>] ? SyS_setgroups+0x150/0x150
[<ffffffff81060f9d>] kthread+0xcd/0xf0
[<ffffffff81060ed0>] ? kthread_create_on_node+0x180/0x180
[<ffffffff8187a82c>] ret_from_fork+0x7c/0xb0
Fix this by clearing drv_data->cur_chip before we call spi_finalize_current_message().
Reported-by: Martin Oldfield <m@mjoldfield.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-pxa2xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -400,8 +400,8 @@ static void giveback(struct driver_data
cs_deassert(drv_data);
}
- spi_finalize_current_message(drv_data->master);
drv_data->cur_chip = NULL;
+ spi_finalize_current_message(drv_data->master);
}
static void reset_sccr1(struct driver_data *drv_data)
next prev parent reply other threads:[~2015-02-03 23:14 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-03 23:14 [PATCH 3.14 00/33] 3.14.32-stable review Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 01/33] x86, build: replace Perl script with Shell script Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 02/33] spi: dw-mid: fix FIFO size Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 03/33] ASoC: wm8960: Fix capture sample rate from 11250 to 11025 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 04/33] ASoC: fsl_esai: Fix incorrect xDC field width of xCCR registers Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 05/33] ASoC: soc-compress.c: fix NULL dereference Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 06/33] ASoC: omap-mcbsp: Correct CBM_CFS dai format configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 07/33] can: kvaser_usb: Do not sleep in atomic context Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 08/33] can: kvaser_usb: Send correct context to URB completion Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 09/33] can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 10/33] can: kvaser_usb: Fix state handling upon BUS_ERROR events Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 11/33] powerpc/xmon: Fix another endiannes issue in RTAS call from xmon Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 12/33] ALSA: seq-dummy: remove deadlock-causing events on close Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 13/33] rbd: drop parent_ref in rbd_dev_unprobe() unconditionally Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 14/33] i2c: s3c2410: fix ABBA deadlock by keeping clock prepared Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 15/33] Input: synaptics - adjust min/max for Lenovo ThinkPad X1 Carbon 2nd Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 16/33] Input: i8042 - add noloop quirk for Medion Akoya E7225 (MD98857) Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 17/33] nfs: fix dio deadlock when O_DIRECT flag is flipped Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 18/33] NFSv4.1: Fix an Oops in nfs41_walk_client_list Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 19/33] mac80211: properly set CCK flag in radiotap Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 20/33] nl80211: fix per-station group key get/del and memory leak Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 21/33] dm thin: dont allow messages to be sent to a pool target in READ_ONLY or FAIL mode Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 22/33] dm cache: fix missing ERR_PTR returns and handling Greg Kroah-Hartman
2015-02-03 23:14 ` Greg Kroah-Hartman [this message]
2015-02-03 23:14 ` [PATCH 3.14 24/33] regulator: core: fix race condition in regulator_put() Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 25/33] drivers: net: cpsw: discard dual emac default vlan configuration Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 26/33] drm/i915: Only fence tiled region of object Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 27/33] ARM: DMA: ensure that old section mappings are flushed from the TLB Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 28/33] pstore: clarify clearing of _read_cnt in ramoops_context Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 29/33] pstore: skip zero size persistent ram buffer in traverse Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 30/33] pstore: Fix NULL pointer fault if get NULL prz in ramoops_get_next_prz Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 31/33] rbd: fix rbd_dev_parent_get() when parent_overlap == 0 Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 32/33] workqueue: fix subtle pool management issue which can stall whole worker_pool Greg Kroah-Hartman
2015-02-03 23:14 ` [PATCH 3.14 33/33] target: Drop arbitrary maximum I/O size limit Greg Kroah-Hartman
2015-02-04 14:02 ` [PATCH 3.14 00/33] 3.14.32-stable review Guenter Roeck
2015-02-04 17:30 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203231239.269710799@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=m@mjoldfield.com \
--cc=mika.westerberg@linux.intel.com \
--cc=robert.jarzmik@free.fr \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).