* David Brownell | 2008-05-02 10:55:11 [-0700]:
>On Friday 02 May 2008, Sebastian Siewior wrote:
>
>> >> No, I mean that the issue is most likely a spidev bug.
>> >
>> > Does the appended patch resolve the problem you observed?
>>
>> Nope. The backtrace:
>
>... shows *new and different* behavior -- right?
>
>
>> Sending SPI_IOC_[ 4.294967] ------------[ cut here ]------------
>> [ 4.294967] Badness at
>> /home/bigeasy/git/linux-2.6-powerpc/kernel/mutex.c:134
>> ...
>> [ 4.294967] Call Trace:
>> [ 4.294967] [df273e10] [00000001] 0x1 (unreliable)
>> [ 4.294967] [df273e50] [c01b5148] spidev_ioctl+0x4c8/0x6ec
>> [ 4.294967] [df273ec0] [c00861c0] vfs_ioctl+0x88/0xa8
>> [ 4.294967] [df273ee0] [c00865e0] do_vfs_ioctl+0x400/0x444
>> [ 4.294967] [df273f10] [c0086664] sys_ioctl+0x40/0x70
>> [ 4.294967] [df273f40] [c000ded8] ret_from_syscall+0x0/0x3c
>> ...
>> [ 4.294967] Unable to handle kernel paging request for data at address
>> 0x6b6b6b6b
>>
>> I started my spidev user, removed the module and then I started to write
>> what results in an ioctl. spidev_ioctl+0x4c8/0x6ec is
>> drivers/spi/spidev.c:228 and that is the first mutex_lock() in
>> spidev_message().
>
>Hmm, now it's referencing freed memory: 0x6b6b6b6b means it
>used a pointer and got memory filled with POISON_FREE. With
>the particular memory dedicated to managing the spidev state.
Right. That mutex should still be available since only the
spidev->spi is gone.
>
>That memory is freed only by spidev_classdev_release(), so
>it looks like this particular issue is a refcounting bug.
>I'll look at it later (unless you make time for it first).
I try what I can do tomorrow but I probably can't before sunday.
>> However you are touching spidev->spi and this is gone isn't it?
>
>The appended update should catch a few spidev_ioctl() references
>which the initial patch overlooked ... it goes on top of the patch
>I sent first time.
>
>But such a reference *COULD NOT* cause references to a mutex
>in memory which has been deleted.
Right.
>
>- Dave
>
>
>--- g26.orig/drivers/spi/spidev.c 2008-05-02 10:16:04.000000000 -0700
>+++ g26/drivers/spi/spidev.c 2008-05-02 10:14:39.000000000 -0700
>@@ -326,8 +326,16 @@ spidev_ioctl(struct inode *inode, struct
> if (err)
> return -EFAULT;
>
>+ /* guard against device removal before, or while,
>+ * we issue this ioctl.
>+ */
> spidev = filp->private_data;
>- spi = spidev->spi;
>+ spin_lock_irq(&spidev->spi_lock);
>+ spi = spi_dev_get(spidev->spi);
>+ spin_unlock_irq(&spidev->spi_lock);
>+
>+ if (spi == NULL)
>+ return ESHUTDOWN;
-ESHUTDOWN
>
> switch (cmd) {
> /* read requests */
>@@ -413,8 +421,10 @@ spidev_ioctl(struct inode *inode, struct
> default:
> /* segmented and/or full-duplex I/O request */
> if (_IOC_NR(cmd) != _IOC_NR(SPI_IOC_MESSAGE(0))
>- || _IOC_DIR(cmd) != _IOC_WRITE)
>- return -ENOTTY;
>+ || _IOC_DIR(cmd) != _IOC_WRITE) {
>+ retval = -ENOTTY;
>+ break;
>+ }
>
> tmp = _IOC_SIZE(cmd);
> if ((tmp % sizeof(struct spi_ioc_transfer)) != 0) {
>@@ -442,6 +452,7 @@ spidev_ioctl(struct inode *inode, struct
> kfree(ioc);
> break;
> }
>+ spi_dev_put(spi);
> return retval;
> }
>
Sebastian
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
spi-devel-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/spi-devel-general
