* [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events [not found] <20200929013027.2406344-1-sashal@kernel.org> @ 2020-09-29 1:30 ` Sasha Levin 2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin 1 sibling, 0 replies; 4+ messages in thread From: Sasha Levin @ 2020-09-29 1:30 UTC (permalink / raw) To: linux-kernel, stable; +Cc: Chris Packham, Mark Brown, Sasha Levin, linux-spi From: Chris Packham <chris.packham@alliedtelesis.co.nz> [ Upstream commit b867eef4cf548cd9541225aadcdcee644669b9e1 ] The SPIE register contains counts for the TX FIFO so any time the irq handler was invoked we would attempt to process the RX/TX fifos. Use the SPIM value to mask the events so that we only process interrupts that were expected. This was a latent issue exposed by commit 3282a3da25bd ("powerpc/64: Implement soft interrupt replay in C"). Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz> Link: https://lore.kernel.org/r/20200904002812.7300-1-chris.packham@alliedtelesis.co.nz Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/spi/spi-fsl-espi.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c index e60581283a247..6d148ab70b93e 100644 --- a/drivers/spi/spi-fsl-espi.c +++ b/drivers/spi/spi-fsl-espi.c @@ -564,13 +564,14 @@ static void fsl_espi_cpu_irq(struct fsl_espi *espi, u32 events) static irqreturn_t fsl_espi_irq(s32 irq, void *context_data) { struct fsl_espi *espi = context_data; - u32 events; + u32 events, mask; spin_lock(&espi->lock); /* Get interrupt events(tx/rx) */ events = fsl_espi_read_reg(espi, ESPI_SPIE); - if (!events) { + mask = fsl_espi_read_reg(espi, ESPI_SPIM); + if (!(events & mask)) { spin_unlock(&espi->lock); return IRQ_NONE; } -- 2.25.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path [not found] <20200929013027.2406344-1-sashal@kernel.org> 2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin @ 2020-09-29 1:30 ` Sasha Levin 2020-09-29 6:22 ` Sascha Hauer 1 sibling, 1 reply; 4+ messages in thread From: Sasha Levin @ 2020-09-29 1:30 UTC (permalink / raw) To: linux-kernel, stable; +Cc: Sascha Hauer, Mark Brown, Sasha Levin, linux-spi From: Sascha Hauer <s.hauer@pengutronix.de> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ] spi_unregister_controller() not only unregisters the controller, but also frees the controller. This will free the driver data with it, so we must not access it later dspi_remove(). Solve this by allocating the driver data separately from the SPI controller. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/spi/spi-fsl-dspi.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c index 91c6affe139c9..aae9f9a7aea6c 100644 --- a/drivers/spi/spi-fsl-dspi.c +++ b/drivers/spi/spi-fsl-dspi.c @@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev) void __iomem *base; bool big_endian; - ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi)); + dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL); + if (!dspi) + return -ENOMEM; + + ctlr = spi_alloc_master(&pdev->dev, 0); if (!ctlr) return -ENOMEM; - dspi = spi_controller_get_devdata(ctlr); dspi->pdev = pdev; dspi->ctlr = ctlr; @@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev) if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE) ctlr->ptp_sts_supported = true; - platform_set_drvdata(pdev, ctlr); + platform_set_drvdata(pdev, dspi); ret = spi_register_controller(ctlr); if (ret != 0) { @@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev) static int dspi_remove(struct platform_device *pdev) { - struct spi_controller *ctlr = platform_get_drvdata(pdev); - struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr); + struct fsl_dspi *dspi = platform_get_drvdata(pdev); /* Disconnect from the SPI framework */ spi_unregister_controller(dspi->ctlr); -- 2.25.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path 2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin @ 2020-09-29 6:22 ` Sascha Hauer 2020-10-04 12:58 ` Sasha Levin 0 siblings, 1 reply; 4+ messages in thread From: Sascha Hauer @ 2020-09-29 6:22 UTC (permalink / raw) To: Sasha Levin; +Cc: linux-kernel, stable, Mark Brown, linux-spi Hi Sasha, On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote: > From: Sascha Hauer <s.hauer@pengutronix.de> > > [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ] > > spi_unregister_controller() not only unregisters the controller, but > also frees the controller. This will free the driver data with it, so > we must not access it later dspi_remove(). > > Solve this by allocating the driver data separately from the SPI > controller. > > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de > Signed-off-by: Mark Brown <broonie@kernel.org> > Signed-off-by: Sasha Levin <sashal@kernel.org> > --- > drivers/spi/spi-fsl-dspi.c | 12 +++++++----- > 1 file changed, 7 insertions(+), 5 deletions(-) This patch causes a regression and shouldn't be applied without the fix in https://lkml.org/lkml/2020/9/28/300. Sascha > index 91c6affe139c9..aae9f9a7aea6c 100644 > --- a/drivers/spi/spi-fsl-dspi.c > +++ b/drivers/spi/spi-fsl-dspi.c > @@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev) > void __iomem *base; > bool big_endian; > > - ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi)); > + dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL); > + if (!dspi) > + return -ENOMEM; > + > + ctlr = spi_alloc_master(&pdev->dev, 0); > if (!ctlr) > return -ENOMEM; > > - dspi = spi_controller_get_devdata(ctlr); > dspi->pdev = pdev; > dspi->ctlr = ctlr; > > @@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev) > if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE) > ctlr->ptp_sts_supported = true; > > - platform_set_drvdata(pdev, ctlr); > + platform_set_drvdata(pdev, dspi); > > ret = spi_register_controller(ctlr); > if (ret != 0) { > @@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev) > > static int dspi_remove(struct platform_device *pdev) > { > - struct spi_controller *ctlr = platform_get_drvdata(pdev); > - struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr); > + struct fsl_dspi *dspi = platform_get_drvdata(pdev); > > /* Disconnect from the SPI framework */ > spi_unregister_controller(dspi->ctlr); > -- > 2.25.1 > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path 2020-09-29 6:22 ` Sascha Hauer @ 2020-10-04 12:58 ` Sasha Levin 0 siblings, 0 replies; 4+ messages in thread From: Sasha Levin @ 2020-10-04 12:58 UTC (permalink / raw) To: Sascha Hauer; +Cc: linux-kernel, stable, Mark Brown, linux-spi On Tue, Sep 29, 2020 at 08:22:16AM +0200, Sascha Hauer wrote: >Hi Sasha, > >On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote: >> From: Sascha Hauer <s.hauer@pengutronix.de> >> >> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ] >> >> spi_unregister_controller() not only unregisters the controller, but >> also frees the controller. This will free the driver data with it, so >> we must not access it later dspi_remove(). >> >> Solve this by allocating the driver data separately from the SPI >> controller. >> >> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> >> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de >> Signed-off-by: Mark Brown <broonie@kernel.org> >> Signed-off-by: Sasha Levin <sashal@kernel.org> >> --- >> drivers/spi/spi-fsl-dspi.c | 12 +++++++----- >> 1 file changed, 7 insertions(+), 5 deletions(-) > >This patch causes a regression and shouldn't be applied without the fix >in https://lkml.org/lkml/2020/9/28/300. Looks like the fix didn't make it yet, so I'll drop the patch. -- Thanks, Sasha ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-04 12:58 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200929013027.2406344-1-sashal@kernel.org>
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin
2020-09-29 1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
2020-09-29 6:22 ` Sascha Hauer
2020-10-04 12:58 ` Sasha Levin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).