All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] MAX1111: Fix race condition causing NULL pointer exception
@ 2011-05-18 15:18 Pavel Herrmann
  2011-05-18 15:29 ` Eric Miao
                   ` (2 more replies)
  0 siblings, 3 replies; 16+ messages in thread
From: Pavel Herrmann @ 2011-05-18 15:18 UTC (permalink / raw)
  To: linux-arm-kernel

spi_sync call uses its spi_message parameter to keep completion information,
having this structure static is not thread-safe, potentially causing one
thread having pointers to memory on or above other threads stack. use
per-call spi_message on stack to fix this

Signed-off-by: Pavel Herrmann <morpheus.ibis@gmail.com>
Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
---
 drivers/hwmon/max1111.c |   86 +++++++++++++----------------------------------
 1 files changed, 24 insertions(+), 62 deletions(-)

diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c
index 12a54aa..6422baf 100644
--- a/drivers/hwmon/max1111.c
+++ b/drivers/hwmon/max1111.c
@@ -22,9 +22,6 @@
 #include <linux/spi/spi.h>
 #include <linux/slab.h>
 
-#define MAX1111_TX_BUF_SIZE	1
-#define MAX1111_RX_BUF_SIZE	2
-
 /* MAX1111 Commands */
 #define MAX1111_CTRL_PD0      (1u << 0)
 #define MAX1111_CTRL_PD1      (1u << 1)
@@ -36,35 +33,41 @@
 struct max1111_data {
 	struct spi_device	*spi;
 	struct device		*hwmon_dev;
-	struct spi_message	msg;
-	struct spi_transfer	xfer[2];
-	uint8_t *tx_buf;
-	uint8_t *rx_buf;
 };
 
 static int max1111_read(struct device *dev, int channel)
 {
-	struct max1111_data *data = dev_get_drvdata(dev);
-	uint8_t v1, v2;
 	int err;
-
-	data->tx_buf[0] = (channel << MAX1111_CTRL_SEL_SH) |
-		MAX1111_CTRL_PD0 | MAX1111_CTRL_PD1 |
-		MAX1111_CTRL_SGL | MAX1111_CTRL_UNI | MAX1111_CTRL_STR;
-
-	err = spi_sync(data->spi, &data->msg);
+	struct max1111_data *data = dev_get_drvdata(dev);
+	struct spi_message m;
+	struct spi_transfer t[2];
+	uint8_t rx_buf[2] = {0, 0};
+	uint8_t tx_buf = (channel << MAX1111_CTRL_SEL_SH) |
+			MAX1111_CTRL_PD0 | MAX1111_CTRL_PD1 |
+			MAX1111_CTRL_SGL | MAX1111_CTRL_UNI |
+			MAX1111_CTRL_STR;
+
+	spi_message_init(&m);
+	memset(t, 0, sizeof(t));
+
+	t[0].tx_buf = &tx_buf;
+	t[0].len = 1;
+	spi_message_add_tail(&t[0], &m);
+
+	t[1].rx_buf = rx_buf;
+	t[1].len = 2;
+	spi_message_add_tail(&t[1], &m);
+
+	err = spi_sync(data->spi, &m);
 	if (err < 0) {
 		dev_err(dev, "spi_sync failed with %d\n", err);
 		return err;
 	}
 
-	v1 = data->rx_buf[0];
-	v2 = data->rx_buf[1];
-
-	if ((v1 & 0xc0) || (v2 & 0x3f))
+	if ((rx_buf[0] & 0xc0) || (rx_buf[1] & 0x3f))
 		return -EINVAL;
 
-	return (v1 << 2) | (v2 >> 6);
+	return (rx_buf[0] << 2) | (rx_buf[1] >> 6);
 }
 
 #ifdef CONFIG_SHARPSL_PM
@@ -123,38 +126,6 @@ static const struct attribute_group max1111_attr_group = {
 	.attrs	= max1111_attributes,
 };
 
-static int setup_transfer(struct max1111_data *data)
-{
-	struct spi_message *m;
-	struct spi_transfer *x;
-
-	data->tx_buf = kmalloc(MAX1111_TX_BUF_SIZE, GFP_KERNEL);
-	if (!data->tx_buf)
-		return -ENOMEM;
-
-	data->rx_buf = kmalloc(MAX1111_RX_BUF_SIZE, GFP_KERNEL);
-	if (!data->rx_buf) {
-		kfree(data->tx_buf);
-		return -ENOMEM;
-	}
-
-	m = &data->msg;
-	x = &data->xfer[0];
-
-	spi_message_init(m);
-
-	x->tx_buf = &data->tx_buf[0];
-	x->len = 1;
-	spi_message_add_tail(x, m);
-
-	x++;
-	x->rx_buf = &data->rx_buf[0];
-	x->len = 2;
-	spi_message_add_tail(x, m);
-
-	return 0;
-}
-
 static int __devinit max1111_probe(struct spi_device *spi)
 {
 	struct max1111_data *data;
@@ -172,17 +143,13 @@ static int __devinit max1111_probe(struct spi_device *spi)
 		return -ENOMEM;
 	}
 
-	err = setup_transfer(data);
-	if (err)
-		goto err_free_data;
-
 	data->spi = spi;
 	spi_set_drvdata(spi, data);
 
 	err = sysfs_create_group(&spi->dev.kobj, &max1111_attr_group);
 	if (err) {
 		dev_err(&spi->dev, "failed to create attribute group\n");
-		goto err_free_all;
+		goto err_free_data;
 	}
 
 	data->hwmon_dev = hwmon_device_register(&spi->dev);
@@ -199,9 +166,6 @@ static int __devinit max1111_probe(struct spi_device *spi)
 
 err_remove:
 	sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);
-err_free_all:
-	kfree(data->rx_buf);
-	kfree(data->tx_buf);
 err_free_data:
 	kfree(data);
 	return err;
@@ -213,8 +177,6 @@ static int __devexit max1111_remove(struct spi_device *spi)
 
 	hwmon_device_unregister(data->hwmon_dev);
 	sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group);
-	kfree(data->rx_buf);
-	kfree(data->tx_buf);
 	kfree(data);
 	return 0;
 }
-- 
1.7.5.rc3

^ permalink raw reply related	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2011-06-30 12:36 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-05-18 15:18 [PATCH] MAX1111: Fix race condition causing NULL pointer exception Pavel Herrmann
2011-05-18 15:29 ` Eric Miao
2011-05-18 15:29 ` Russell King - ARM Linux
2011-05-18 17:36   ` Marek Vasut
2011-05-18 22:47     ` Russell King - ARM Linux
2011-05-19 12:35   ` Pavel Machek
2011-05-19 12:51     ` Pavel Herrmann
2011-05-19 13:55       ` Marek Vasut
2011-05-19 19:31       ` Russell King - ARM Linux
2011-05-19 22:13         ` Pavel Herrmann
2011-05-20 21:20           ` Russell King - ARM Linux
2011-05-21 20:28           ` Pavel Machek
2011-05-21 20:45             ` Pavel Herrmann
2011-05-22 15:52               ` Marek Vasut
2011-05-18 21:47 ` Cyril Hrubis
2011-06-30 12:36   ` Marek Vasut

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.