Linux-SPI Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events
       [not found] <20200929013027.2406344-1-sashal@kernel.org>
@ 2020-09-29  1:30 ` Sasha Levin
  2020-09-29  1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
  1 sibling, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-09-29  1:30 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Chris Packham, Mark Brown, Sasha Levin, linux-spi

From: Chris Packham <chris.packham@alliedtelesis.co.nz>

[ Upstream commit b867eef4cf548cd9541225aadcdcee644669b9e1 ]

The SPIE register contains counts for the TX FIFO so any time the irq
handler was invoked we would attempt to process the RX/TX fifos. Use the
SPIM value to mask the events so that we only process interrupts that
were expected.

This was a latent issue exposed by commit 3282a3da25bd ("powerpc/64:
Implement soft interrupt replay in C").

Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Link: https://lore.kernel.org/r/20200904002812.7300-1-chris.packham@alliedtelesis.co.nz
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-fsl-espi.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/spi/spi-fsl-espi.c b/drivers/spi/spi-fsl-espi.c
index e60581283a247..6d148ab70b93e 100644
--- a/drivers/spi/spi-fsl-espi.c
+++ b/drivers/spi/spi-fsl-espi.c
@@ -564,13 +564,14 @@ static void fsl_espi_cpu_irq(struct fsl_espi *espi, u32 events)
 static irqreturn_t fsl_espi_irq(s32 irq, void *context_data)
 {
 	struct fsl_espi *espi = context_data;
-	u32 events;
+	u32 events, mask;
 
 	spin_lock(&espi->lock);
 
 	/* Get interrupt events(tx/rx) */
 	events = fsl_espi_read_reg(espi, ESPI_SPIE);
-	if (!events) {
+	mask = fsl_espi_read_reg(espi, ESPI_SPIM);
+	if (!(events & mask)) {
 		spin_unlock(&espi->lock);
 		return IRQ_NONE;
 	}
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
       [not found] <20200929013027.2406344-1-sashal@kernel.org>
  2020-09-29  1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin
@ 2020-09-29  1:30 ` Sasha Levin
  2020-09-29  6:22   ` Sascha Hauer
  1 sibling, 1 reply; 4+ messages in thread
From: Sasha Levin @ 2020-09-29  1:30 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Sascha Hauer, Mark Brown, Sasha Levin, linux-spi

From: Sascha Hauer <s.hauer@pengutronix.de>

[ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]

spi_unregister_controller() not only unregisters the controller, but
also frees the controller. This will free the driver data with it, so
we must not access it later dspi_remove().

Solve this by allocating the driver data separately from the SPI
controller.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
index 91c6affe139c9..aae9f9a7aea6c 100644
--- a/drivers/spi/spi-fsl-dspi.c
+++ b/drivers/spi/spi-fsl-dspi.c
@@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev)
 	void __iomem *base;
 	bool big_endian;
 
-	ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi));
+	dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL);
+	if (!dspi)
+		return -ENOMEM;
+
+	ctlr = spi_alloc_master(&pdev->dev, 0);
 	if (!ctlr)
 		return -ENOMEM;
 
-	dspi = spi_controller_get_devdata(ctlr);
 	dspi->pdev = pdev;
 	dspi->ctlr = ctlr;
 
@@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev)
 	if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE)
 		ctlr->ptp_sts_supported = true;
 
-	platform_set_drvdata(pdev, ctlr);
+	platform_set_drvdata(pdev, dspi);
 
 	ret = spi_register_controller(ctlr);
 	if (ret != 0) {
@@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev)
 
 static int dspi_remove(struct platform_device *pdev)
 {
-	struct spi_controller *ctlr = platform_get_drvdata(pdev);
-	struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+	struct fsl_dspi *dspi = platform_get_drvdata(pdev);
 
 	/* Disconnect from the SPI framework */
 	spi_unregister_controller(dspi->ctlr);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
  2020-09-29  1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
@ 2020-09-29  6:22   ` Sascha Hauer
  2020-10-04 12:58     ` Sasha Levin
  0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2020-09-29  6:22 UTC (permalink / raw)
  To: Sasha Levin; +Cc: linux-kernel, stable, Mark Brown, linux-spi

Hi Sasha,

On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote:
> From: Sascha Hauer <s.hauer@pengutronix.de>
> 
> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]
> 
> spi_unregister_controller() not only unregisters the controller, but
> also frees the controller. This will free the driver data with it, so
> we must not access it later dspi_remove().
> 
> Solve this by allocating the driver data separately from the SPI
> controller.
> 
> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
> Signed-off-by: Mark Brown <broonie@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)

This patch causes a regression and shouldn't be applied without the fix
in https://lkml.org/lkml/2020/9/28/300.

Sascha

> index 91c6affe139c9..aae9f9a7aea6c 100644
> --- a/drivers/spi/spi-fsl-dspi.c
> +++ b/drivers/spi/spi-fsl-dspi.c
> @@ -1273,11 +1273,14 @@ static int dspi_probe(struct platform_device *pdev)
>  	void __iomem *base;
>  	bool big_endian;
>  
> -	ctlr = spi_alloc_master(&pdev->dev, sizeof(struct fsl_dspi));
> +	dspi = devm_kzalloc(&pdev->dev, sizeof(*dspi), GFP_KERNEL);
> +	if (!dspi)
> +		return -ENOMEM;
> +
> +	ctlr = spi_alloc_master(&pdev->dev, 0);
>  	if (!ctlr)
>  		return -ENOMEM;
>  
> -	dspi = spi_controller_get_devdata(ctlr);
>  	dspi->pdev = pdev;
>  	dspi->ctlr = ctlr;
>  
> @@ -1414,7 +1417,7 @@ static int dspi_probe(struct platform_device *pdev)
>  	if (dspi->devtype_data->trans_mode != DSPI_DMA_MODE)
>  		ctlr->ptp_sts_supported = true;
>  
> -	platform_set_drvdata(pdev, ctlr);
> +	platform_set_drvdata(pdev, dspi);
>  
>  	ret = spi_register_controller(ctlr);
>  	if (ret != 0) {
> @@ -1437,8 +1440,7 @@ static int dspi_probe(struct platform_device *pdev)
>  
>  static int dspi_remove(struct platform_device *pdev)
>  {
> -	struct spi_controller *ctlr = platform_get_drvdata(pdev);
> -	struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
> +	struct fsl_dspi *dspi = platform_get_drvdata(pdev);
>  
>  	/* Disconnect from the SPI framework */
>  	spi_unregister_controller(dspi->ctlr);
> -- 
> 2.25.1
> 
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path
  2020-09-29  6:22   ` Sascha Hauer
@ 2020-10-04 12:58     ` Sasha Levin
  0 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2020-10-04 12:58 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: linux-kernel, stable, Mark Brown, linux-spi

On Tue, Sep 29, 2020 at 08:22:16AM +0200, Sascha Hauer wrote:
>Hi Sasha,
>
>On Mon, Sep 28, 2020 at 09:30:25PM -0400, Sasha Levin wrote:
>> From: Sascha Hauer <s.hauer@pengutronix.de>
>>
>> [ Upstream commit 530b5affc675ade5db4a03f04ed7cd66806c8a1a ]
>>
>> spi_unregister_controller() not only unregisters the controller, but
>> also frees the controller. This will free the driver data with it, so
>> we must not access it later dspi_remove().
>>
>> Solve this by allocating the driver data separately from the SPI
>> controller.
>>
>> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>> Link: https://lore.kernel.org/r/20200923131026.20707-1-s.hauer@pengutronix.de
>> Signed-off-by: Mark Brown <broonie@kernel.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>>  drivers/spi/spi-fsl-dspi.c | 12 +++++++-----
>>  1 file changed, 7 insertions(+), 5 deletions(-)
>
>This patch causes a regression and shouldn't be applied without the fix
>in https://lkml.org/lkml/2020/9/28/300.

Looks like the fix didn't make it yet, so I'll drop the patch.

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20200929013027.2406344-1-sashal@kernel.org>
2020-09-29  1:30 ` [PATCH AUTOSEL 5.8 24/29] spi: fsl-espi: Only process interrupts for expected events Sasha Levin
2020-09-29  1:30 ` [PATCH AUTOSEL 5.8 28/29] spi: fsl-dspi: fix use-after-free in remove path Sasha Levin
2020-09-29  6:22   ` Sascha Hauer
2020-10-04 12:58     ` Sasha Levin

Linux-SPI Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-spi/0 linux-spi/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-spi linux-spi/ https://lore.kernel.org/linux-spi \
		linux-spi@vger.kernel.org
	public-inbox-index linux-spi

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-spi


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git