* [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events
[not found] <20200929013027.2406344-1-sashal@kernel.org>
@ 2020-09-29 1:30 ` Sasha Levin
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-09-29 1:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Chris Packham, Mark Brown, Sasha Levin, linux-spi
From: Chris Packham <chris.packham@alliedtelesis.co.nz>
[ Upstream commit b867eef4cf548cd9541225aadcdcee644669b9e1 ]
The SPIE register contains counts for the TX FIFO so any time the irq
handler was invoked we would attempt to process the RX/TX fifos. Use the
SPIM value to mask the events so that we only process interrupts that
were expected.
This was a latent issue exposed by commit 3282a3da25bd ("powerpc/64:
Implement soft interrupt replay in C").
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Link: https://lore.kernel.org/r/20200904002812.7300-1-chris.packham@alliedtelesis.co.nz
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-espi.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c
index e60581283a247..6d148ab70b93e 100644
--- a/drivers/spi/spi-fsl-espi.c
+++ b/drivers/spi/spi-fsl-espi.c
@@ -564,13 +564,14 @@ static void fsl_espi_cpu_irq(struct fsl_espi *espi, u32 events)
static irqreturn_t fsl_espi_irq(s32 irq, void *context_data)
{
struct fsl_espi *espi = context_data;
- u32 events;
+ u32 events, mask;
spin_lock(&espi->lock);
/* Get interrupt events(tx/rx) */
events = fsl_espi_read_reg(espi, ESPI_SPIE);
- if (!events) {
+ mask = fsl_espi_read_reg(espi, ESPI_SPIM);
+ if (!(events & mask)) {
spin_unlock(&espi->lock);
return IRQ_NONE;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
[not found] <20200929013027.2406344-1-sashal@kernel.org>
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin
@ 2020-09-29 1:30 ` Sasha Levin
2020-09-29 6:22 ` Sascha Hauer
1 sibling, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2020-09-29 1:30 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Sascha Hauer, Mark Brown, Sasha Levin, linux-spi
From: Sascha Hauer <s.hauer@pengutronix.de>
[ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]
spi_unregister_controller() not only unregisters the controller, but
also frees the controller. This will free the driver data with it, so
we must not access it later dspi_remove().
Solve this by allocating the driver data separately from the SPI
controller.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
index 91c6affe139c9..aae9f9a7aea6c 100644
--- a/drivers/spi/spi-fsl-dspi.c
+++ b/drivers/spi/spi-fsl-dspi.c
@@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev)
void __iomem *base;
bool big_endian;
- ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi));
+ dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL);
+ if (!dspi)
+ return -ENOMEM;
+
+ ctlr = spi_alloc_master(&pdev->dev, 0);
if (!ctlr)
return -ENOMEM;
- dspi = spi_controller_get_devdata(ctlr);
dspi->pdev = pdev;
dspi->ctlr = ctlr;
@@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev)
if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE)
ctlr->ptp_sts_supported = true;
- platform_set_drvdata(pdev, ctlr);
+ platform_set_drvdata(pdev, dspi);
ret = spi_register_controller(ctlr);
if (ret != 0) {
@@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev)
static int dspi_remove(struct platform_device *pdev)
{
- struct spi_controller *ctlr = platform_get_drvdata(pdev);
- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+ struct fsl_dspi *dspi = platform_get_drvdata(pdev);
/* Disconnect from the SPI framework */
spi_unregister_controller(dspi->ctlr);
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
@ 2020-09-29 6:22 ` Sascha Hauer
2020-10-04 12:58 ` Sasha Levin
0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2020-09-29 6:22 UTC (permalink / raw)
To: Sasha Levin; +Cc: linux-kernel, stable, Mark Brown, linux-spi
Hi Sasha,
On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote:
> From: Sascha Hauer <s.hauer@pengutronix.de>
>
> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]
>
> spi_unregister_controller() not only unregisters the controller, but
> also frees the controller. This will free the driver data with it, so
> we must not access it later dspi_remove().
>
> Solve this by allocating the driver data separately from the SPI
> controller.
>
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
This patch causes a regression and shouldn't be applied without the fix
in https://lkml.org/lkml/2020/9/28/300.
Sascha
> index 91c6affe139c9..aae9f9a7aea6c 100644
> --- a/drivers/spi/spi-fsl-dspi.c
> +++ b/drivers/spi/spi-fsl-dspi.c
> @@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev)
> void __iomem *base;
> bool big_endian;
>
> - ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi));
> + dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL);
> + if (!dspi)
> + return -ENOMEM;
> +
> + ctlr = spi_alloc_master(&pdev->dev, 0);
> if (!ctlr)
> return -ENOMEM;
>
> - dspi = spi_controller_get_devdata(ctlr);
> dspi->pdev = pdev;
> dspi->ctlr = ctlr;
>
> @@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev)
> if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE)
> ctlr->ptp_sts_supported = true;
>
> - platform_set_drvdata(pdev, ctlr);
> + platform_set_drvdata(pdev, dspi);
>
> ret = spi_register_controller(ctlr);
> if (ret != 0) {
> @@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev)
>
> static int dspi_remove(struct platform_device *pdev)
> {
> - struct spi_controller *ctlr = platform_get_drvdata(pdev);
> - struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
> + struct fsl_dspi *dspi = platform_get_drvdata(pdev);
>
> /* Disconnect from the SPI framework */
> spi_unregister_controller(dspi->ctlr);
> --
> 2.25.1
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
2020-09-29 6:22 ` Sascha Hauer
@ 2020-10-04 12:58 ` Sasha Levin
0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-10-04 12:58 UTC (permalink / raw)
To: Sascha Hauer; +Cc: linux-kernel, stable, Mark Brown, linux-spi
On Tue, Sep 29, 2020 at 08:22:16AM +0200, Sascha Hauer wrote:
>Hi Sasha,
>
>On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote:
>> From: Sascha Hauer <s.hauer@pengutronix.de>
>>
>> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]
>>
>> spi_unregister_controller() not only unregisters the controller, but
>> also frees the controller. This will free the driver data with it, so
>> we must not access it later dspi_remove().
>>
>> Solve this by allocating the driver data separately from the SPI
>> controller.
>>
>> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
>> Signed-off-by: Mark Brown <broonie@kernel.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>> drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
>> 1 file changed, 7 insertions(+), 5 deletions(-)
>
>This patch causes a regression and shouldn't be applied without the fix
>in https://lkml.org/lkml/2020/9/28/300.
Looks like the fix didn't make it yet, so I'll drop the patch.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-04 12:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200929013027.2406344-1-sashal@kernel.org>
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
2020-09-29 6:22 ` Sascha Hauer
2020-10-04 12:58 ` Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).