Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
Hi Geert, On Mon, Feb 17, 2014 at 07:02:09PM +0100, Geert Uytterhoeven wrote: > On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard > wrote: > > When the generic implementation of the transfer_one_message callback was > > called > > by the spi_pump_messages function, if that transfer was to fail, the > > spi_finalize_current_message was called twice, once in > > spi_transfer_one_message, and one in spi_pump_messages. > > > > This was causing a null pointer dereference in the second call, because the > > first one set the ->cur_msg field to NULL. > > > > Since the SPI framework expect the transfer_one_message callback to call > > spi_finalize_current_message, we can remove it from spi_pump_messages, > > together > > with any dereference of the ->cur_msg pointer. > > > > Signed-off-by: Maxime Ripard > > Cc: sta...@vger.kernel.org > > Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b > ("spi: Fix crash with double message finalisation on error handling"). > > There's no need to inform stable, as the problem was introduced in v3.14-rc1. Oops, totally missed that. Thanks! Maxime -- Maxime Ripard, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com signature.asc Description: Digital signature
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard wrote: > When the generic implementation of the transfer_one_message callback was > called > by the spi_pump_messages function, if that transfer was to fail, the > spi_finalize_current_message was called twice, once in > spi_transfer_one_message, and one in spi_pump_messages. > > This was causing a null pointer dereference in the second call, because the > first one set the ->cur_msg field to NULL. > > Since the SPI framework expect the transfer_one_message callback to call > spi_finalize_current_message, we can remove it from spi_pump_messages, > together > with any dereference of the ->cur_msg pointer. > > Signed-off-by: Maxime Ripard > Cc: sta...@vger.kernel.org Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b ("spi: Fix crash with double message finalisation on error handling"). There's no need to inform stable, as the problem was introduced in v3.14-rc1. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] spi: core: Fix Oops in spi_pump_messages error path
When the generic implementation of the transfer_one_message callback was called by the spi_pump_messages function, if that transfer was to fail, the spi_finalize_current_message was called twice, once in spi_transfer_one_message, and one in spi_pump_messages. This was causing a null pointer dereference in the second call, because the first one set the ->cur_msg field to NULL. Since the SPI framework expect the transfer_one_message callback to call spi_finalize_current_message, we can remove it from spi_pump_messages, together with any dereference of the ->cur_msg pointer. Signed-off-by: Maxime Ripard Cc: sta...@vger.kernel.org --- drivers/spi/spi.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 23756b0..39f12be 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -756,8 +756,6 @@ static void spi_pump_messages(struct kthread_work *work) if (ret) { dev_err(>dev, "failed to transfer one message from queue: %d\n", ret); - master->cur_msg->status = ret; - spi_finalize_current_message(master); return; } } -- 1.8.4.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH] spi: core: Fix Oops in spi_pump_messages error path
When the generic implementation of the transfer_one_message callback was called by the spi_pump_messages function, if that transfer was to fail, the spi_finalize_current_message was called twice, once in spi_transfer_one_message, and one in spi_pump_messages. This was causing a null pointer dereference in the second call, because the first one set the -cur_msg field to NULL. Since the SPI framework expect the transfer_one_message callback to call spi_finalize_current_message, we can remove it from spi_pump_messages, together with any dereference of the -cur_msg pointer. Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com Cc: sta...@vger.kernel.org --- drivers/spi/spi.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 23756b0..39f12be 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -756,8 +756,6 @@ static void spi_pump_messages(struct kthread_work *work) if (ret) { dev_err(master-dev, failed to transfer one message from queue: %d\n, ret); - master-cur_msg-status = ret; - spi_finalize_current_message(master); return; } } -- 1.8.4.2 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard maxime.rip...@free-electrons.com wrote: When the generic implementation of the transfer_one_message callback was called by the spi_pump_messages function, if that transfer was to fail, the spi_finalize_current_message was called twice, once in spi_transfer_one_message, and one in spi_pump_messages. This was causing a null pointer dereference in the second call, because the first one set the -cur_msg field to NULL. Since the SPI framework expect the transfer_one_message callback to call spi_finalize_current_message, we can remove it from spi_pump_messages, together with any dereference of the -cur_msg pointer. Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com Cc: sta...@vger.kernel.org Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b (spi: Fix crash with double message finalisation on error handling). There's no need to inform stable, as the problem was introduced in v3.14-rc1. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say programmer or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
Hi Geert, On Mon, Feb 17, 2014 at 07:02:09PM +0100, Geert Uytterhoeven wrote: On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard maxime.rip...@free-electrons.com wrote: When the generic implementation of the transfer_one_message callback was called by the spi_pump_messages function, if that transfer was to fail, the spi_finalize_current_message was called twice, once in spi_transfer_one_message, and one in spi_pump_messages. This was causing a null pointer dereference in the second call, because the first one set the -cur_msg field to NULL. Since the SPI framework expect the transfer_one_message callback to call spi_finalize_current_message, we can remove it from spi_pump_messages, together with any dereference of the -cur_msg pointer. Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com Cc: sta...@vger.kernel.org Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b (spi: Fix crash with double message finalisation on error handling). There's no need to inform stable, as the problem was introduced in v3.14-rc1. Oops, totally missed that. Thanks! Maxime -- Maxime Ripard, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com signature.asc Description: Digital signature