Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
Hi Geert,
On Mon, Feb 17, 2014 at 07:02:09PM +0100, Geert Uytterhoeven wrote:
> On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard
> wrote:
> > When the generic implementation of the transfer_one_message callback was
> > called
> > by the spi_pump_messages function, if that transfer was to fail, the
> > spi_finalize_current_message was called twice, once in
> > spi_transfer_one_message, and one in spi_pump_messages.
> >
> > This was causing a null pointer dereference in the second call, because the
> > first one set the ->cur_msg field to NULL.
> >
> > Since the SPI framework expect the transfer_one_message callback to call
> > spi_finalize_current_message, we can remove it from spi_pump_messages,
> > together
> > with any dereference of the ->cur_msg pointer.
> >
> > Signed-off-by: Maxime Ripard
> > Cc: sta...@vger.kernel.org
>
> Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b
> ("spi: Fix crash with double message finalisation on error handling").
>
> There's no need to inform stable, as the problem was introduced in v3.14-rc1.
Oops, totally missed that. Thanks!
Maxime
--
Maxime Ripard, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com
signature.asc
Description: Digital signature
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard
wrote:
> When the generic implementation of the transfer_one_message callback was
> called
> by the spi_pump_messages function, if that transfer was to fail, the
> spi_finalize_current_message was called twice, once in
> spi_transfer_one_message, and one in spi_pump_messages.
>
> This was causing a null pointer dereference in the second call, because the
> first one set the ->cur_msg field to NULL.
>
> Since the SPI framework expect the transfer_one_message callback to call
> spi_finalize_current_message, we can remove it from spi_pump_messages,
> together
> with any dereference of the ->cur_msg pointer.
>
> Signed-off-by: Maxime Ripard
> Cc: sta...@vger.kernel.org
Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b
("spi: Fix crash with double message finalisation on error handling").
There's no need to inform stable, as the problem was introduced in v3.14-rc1.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] spi: core: Fix Oops in spi_pump_messages error path
When the generic implementation of the transfer_one_message callback was called
by the spi_pump_messages function, if that transfer was to fail, the
spi_finalize_current_message was called twice, once in
spi_transfer_one_message, and one in spi_pump_messages.
This was causing a null pointer dereference in the second call, because the
first one set the ->cur_msg field to NULL.
Since the SPI framework expect the transfer_one_message callback to call
spi_finalize_current_message, we can remove it from spi_pump_messages, together
with any dereference of the ->cur_msg pointer.
Signed-off-by: Maxime Ripard
Cc: sta...@vger.kernel.org
---
drivers/spi/spi.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 23756b0..39f12be 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -756,8 +756,6 @@ static void spi_pump_messages(struct kthread_work *work)
if (ret) {
dev_err(>dev,
"failed to transfer one message from queue: %d\n", ret);
- master->cur_msg->status = ret;
- spi_finalize_current_message(master);
return;
}
}
--
1.8.4.2
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[PATCH] spi: core: Fix Oops in spi_pump_messages error path
When the generic implementation of the transfer_one_message callback was called
by the spi_pump_messages function, if that transfer was to fail, the
spi_finalize_current_message was called twice, once in
spi_transfer_one_message, and one in spi_pump_messages.
This was causing a null pointer dereference in the second call, because the
first one set the -cur_msg field to NULL.
Since the SPI framework expect the transfer_one_message callback to call
spi_finalize_current_message, we can remove it from spi_pump_messages, together
with any dereference of the -cur_msg pointer.
Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com
Cc: sta...@vger.kernel.org
---
drivers/spi/spi.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 23756b0..39f12be 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -756,8 +756,6 @@ static void spi_pump_messages(struct kthread_work *work)
if (ret) {
dev_err(master-dev,
failed to transfer one message from queue: %d\n, ret);
- master-cur_msg-status = ret;
- spi_finalize_current_message(master);
return;
}
}
--
1.8.4.2
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard
maxime.rip...@free-electrons.com wrote:
When the generic implementation of the transfer_one_message callback was
called
by the spi_pump_messages function, if that transfer was to fail, the
spi_finalize_current_message was called twice, once in
spi_transfer_one_message, and one in spi_pump_messages.
This was causing a null pointer dereference in the second call, because the
first one set the -cur_msg field to NULL.
Since the SPI framework expect the transfer_one_message callback to call
spi_finalize_current_message, we can remove it from spi_pump_messages,
together
with any dereference of the -cur_msg pointer.
Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com
Cc: sta...@vger.kernel.org
Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b
(spi: Fix crash with double message finalisation on error handling).
There's no need to inform stable, as the problem was introduced in v3.14-rc1.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say programmer or something like that.
-- Linus Torvalds
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] spi: core: Fix Oops in spi_pump_messages error path
Hi Geert, On Mon, Feb 17, 2014 at 07:02:09PM +0100, Geert Uytterhoeven wrote: On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard maxime.rip...@free-electrons.com wrote: When the generic implementation of the transfer_one_message callback was called by the spi_pump_messages function, if that transfer was to fail, the spi_finalize_current_message was called twice, once in spi_transfer_one_message, and one in spi_pump_messages. This was causing a null pointer dereference in the second call, because the first one set the -cur_msg field to NULL. Since the SPI framework expect the transfer_one_message callback to call spi_finalize_current_message, we can remove it from spi_pump_messages, together with any dereference of the -cur_msg pointer. Signed-off-by: Maxime Ripard maxime.rip...@free-electrons.com Cc: sta...@vger.kernel.org Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b (spi: Fix crash with double message finalisation on error handling). There's no need to inform stable, as the problem was introduced in v3.14-rc1. Oops, totally missed that. Thanks! Maxime -- Maxime Ripard, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com signature.asc Description: Digital signature
