From: Zhao Qiang <[email protected]>
Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
remove path"), this driver causes a kernel oops:
[ 64.587431] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000020
[..]
[ 64.756080] Call trace:
[ 64.758526] dspi_suspend+0x30/0x78
[ 64.762012] platform_pm_suspend+0x28/0x70
[ 64.766107] dpm_run_callback.isra.19+0x24/0x70
[ 64.770635] __device_suspend+0xf4/0x2f0
[ 64.774553] dpm_suspend+0xec/0x1e0
[ 64.778036] dpm_suspend_start+0x80/0xa0
[ 64.781957] suspend_devices_and_enter+0x118/0x4f0
[ 64.786743] pm_suspend+0x1e0/0x260
[ 64.790227] state_store+0x8c/0x118
[ 64.793712] kobj_attr_store+0x18/0x30
[ 64.797459] sysfs_kf_write+0x40/0x58
[ 64.801118] kernfs_fop_write+0x148/0x240
[ 64.805126] vfs_write+0xc0/0x230
[ 64.808436] ksys_write+0x6c/0x100
[ 64.811833] __arm64_sys_write+0x1c/0x28
[ 64.815753] el0_svc_common.constprop.3+0x68/0x170
[ 64.820541] do_el0_svc+0x24/0x90
[ 64.823853] el0_sync_handler+0x118/0x168
[ 64.827858] el0_sync+0x158/0x180
This is because since this commit, the drivers private data point to
"dspi" instead of "ctlr", the codes in suspend and resume func were
not modified correspondly.
Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
Signed-off-by: Zhao Qiang <[email protected]>
---
drivers/spi/spi-fsl-dspi.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
index 3967afa..1a08c1d 100644
--- a/drivers/spi/spi-fsl-dspi.c
+++ b/drivers/spi/spi-fsl-dspi.c
@@ -1080,12 +1080,11 @@ MODULE_DEVICE_TABLE(of, fsl_dspi_dt_ids);
#ifdef CONFIG_PM_SLEEP
static int dspi_suspend(struct device *dev)
{
- struct spi_controller *ctlr = dev_get_drvdata(dev);
- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+ struct fsl_dspi *dspi = dev_get_drvdata(dev);
if (dspi->irq)
disable_irq(dspi->irq);
- spi_controller_suspend(ctlr);
+ spi_controller_suspend(dspi->ctlr);
clk_disable_unprepare(dspi->clk);
pinctrl_pm_select_sleep_state(dev);
@@ -1095,8 +1094,7 @@ static int dspi_suspend(struct device *dev)
static int dspi_resume(struct device *dev)
{
- struct spi_controller *ctlr = dev_get_drvdata(dev);
- struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+ struct fsl_dspi *dspi = dev_get_drvdata(dev);
int ret;
pinctrl_pm_select_default_state(dev);
@@ -1104,7 +1102,7 @@ static int dspi_resume(struct device *dev)
ret = clk_prepare_enable(dspi->clk);
if (ret)
return ret;
- spi_controller_resume(ctlr);
+ spi_controller_resume(dspi->ctlr);
if (dspi->irq)
enable_irq(dspi->irq);
--
2.7.4
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> From: Zhao Qiang <[email protected]>
>
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
>
> [ 64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [ 64.756080] Call trace:
> [ 64.758526] dspi_suspend+0x30/0x78
> [ 64.762012] platform_pm_suspend+0x28/0x70
> [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> [ 64.770635] __device_suspend+0xf4/0x2f0
> [ 64.774553] dpm_suspend+0xec/0x1e0
> [ 64.778036] dpm_suspend_start+0x80/0xa0
> [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> [ 64.786743] pm_suspend+0x1e0/0x260
> [ 64.790227] state_store+0x8c/0x118
> [ 64.793712] kobj_attr_store+0x18/0x30
> [ 64.797459] sysfs_kf_write+0x40/0x58
> [ 64.801118] kernfs_fop_write+0x148/0x240
> [ 64.805126] vfs_write+0xc0/0x230
> [ 64.808436] ksys_write+0x6c/0x100
> [ 64.811833] __arm64_sys_write+0x1c/0x28
> [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> [ 64.820541] do_el0_svc+0x24/0x90
> [ 64.823853] el0_sync_handler+0x118/0x168
> [ 64.827858] el0_sync+0x158/0x180
>
> This is because since this commit, the drivers private data point to
> "dspi" instead of "ctlr", the codes in suspend and resume func were
> not modified correspondly.
>
> Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
> Signed-off-by: Zhao Qiang <[email protected]>
> ---
Please update your tree.
https://github.com/torvalds/linux/commit/6e3837668e00fb914ac2b43158ef51b027ec385c
On Thu, Oct 29, 2020 at 19:03PM, Vladimir Oltean <[email protected]> wrote:
> -----Original Message-----
> From: Vladimir Oltean <[email protected]>
> Sent: 2020??10??29?? 19:03
> To: Qiang Zhao <[email protected]>
> Cc: [email protected]; [email protected];
> [email protected]
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
>
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> > From: Zhao Qiang <[email protected]>
> >
> > Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> > remove path"), this driver causes a kernel oops:
> >
> > [ 64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [ 64.756080] Call trace:
> > [ 64.758526] dspi_suspend+0x30/0x78
> > [ 64.762012] platform_pm_suspend+0x28/0x70
> > [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> > [ 64.770635] __device_suspend+0xf4/0x2f0
> > [ 64.774553] dpm_suspend+0xec/0x1e0
> > [ 64.778036] dpm_suspend_start+0x80/0xa0
> > [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> > [ 64.786743] pm_suspend+0x1e0/0x260
> > [ 64.790227] state_store+0x8c/0x118
> > [ 64.793712] kobj_attr_store+0x18/0x30
> > [ 64.797459] sysfs_kf_write+0x40/0x58
> > [ 64.801118] kernfs_fop_write+0x148/0x240
> > [ 64.805126] vfs_write+0xc0/0x230
> > [ 64.808436] ksys_write+0x6c/0x100
> > [ 64.811833] __arm64_sys_write+0x1c/0x28
> > [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> > [ 64.820541] do_el0_svc+0x24/0x90
> > [ 64.823853] el0_sync_handler+0x118/0x168
> > [ 64.827858] el0_sync+0x158/0x180
> >
> > This is because since this commit, the drivers private data point to
> > "dspi" instead of "ctlr", the codes in suspend and resume func were
> > not modified correspondly.
> >
> > Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove
> > path")
> > Signed-off-by: Zhao Qiang <[email protected]>
> > ---
>
> Please update your tree.
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2Ftorvalds%2Flinux%2Fcommit%2F6e3837668e00fb914ac2b43158ef51b0
> 27ec385c&data=04%7C01%7Cqiang.zhao%40nxp.com%7C50171bf65a5e
> 4f24e0c208d87bfa3fe9%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0
> %7C637395662023835048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sda
> ta=NlmOj1SfvKu2V7nrSYF3lDji25xbP5PeDl1PcwlKyr4%3D&reserved=0
I saw the patch, it just fix the issue when the kernel are booted up.
But there still have the issue when the driver suspend and resume.
Best Regards
Qiang Zhao
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> [ 64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [ 64.756080] Call trace:
> [ 64.758526] dspi_suspend+0x30/0x78
> [ 64.762012] platform_pm_suspend+0x28/0x70
> [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> [ 64.770635] __device_suspend+0xf4/0x2f0
> [ 64.774553] dpm_suspend+0xec/0x1e0
> [ 64.778036] dpm_suspend_start+0x80/0xa0
> [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> [ 64.786743] pm_suspend+0x1e0/0x260
> [ 64.790227] state_store+0x8c/0x118
> [ 64.793712] kobj_attr_store+0x18/0x30
> [ 64.797459] sysfs_kf_write+0x40/0x58
> [ 64.801118] kernfs_fop_write+0x148/0x240
> [ 64.805126] vfs_write+0xc0/0x230
> [ 64.808436] ksys_write+0x6c/0x100
> [ 64.811833] __arm64_sys_write+0x1c/0x28
> [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> [ 64.820541] do_el0_svc+0x24/0x90
> [ 64.823853] el0_sync_handler+0x118/0x168
> [ 64.827858] el0_sync+0x158/0x180
Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.
On Fri, Oct 30, 2020 at 02:04:06AM +0000, Qiang Zhao wrote:
> I saw the patch, it just fix the issue when the kernel are booted up.
> But there still have the issue when the driver suspend and resume.
I see, sorry, I only paid attention to the commit message since it
wasn't explicit that it is about the suspend/resume case. Let me look
closer at the patch.
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> From: Zhao Qiang <[email protected]>
>
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
>
> [ 64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [ 64.756080] Call trace:
> [ 64.758526] dspi_suspend+0x30/0x78
> [ 64.762012] platform_pm_suspend+0x28/0x70
> [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> [ 64.770635] __device_suspend+0xf4/0x2f0
> [ 64.774553] dpm_suspend+0xec/0x1e0
> [ 64.778036] dpm_suspend_start+0x80/0xa0
> [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> [ 64.786743] pm_suspend+0x1e0/0x260
> [ 64.790227] state_store+0x8c/0x118
> [ 64.793712] kobj_attr_store+0x18/0x30
> [ 64.797459] sysfs_kf_write+0x40/0x58
> [ 64.801118] kernfs_fop_write+0x148/0x240
> [ 64.805126] vfs_write+0xc0/0x230
> [ 64.808436] ksys_write+0x6c/0x100
> [ 64.811833] __arm64_sys_write+0x1c/0x28
> [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> [ 64.820541] do_el0_svc+0x24/0x90
> [ 64.823853] el0_sync_handler+0x118/0x168
> [ 64.827858] el0_sync+0x158/0x180
>
> This is because since this commit, the drivers private data point to
> "dspi" instead of "ctlr", the codes in suspend and resume func were
> not modified correspondly.
>
> Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
> Signed-off-by: Zhao Qiang <[email protected]>
> ---
Reviewed-by: Vladimir Oltean <[email protected]>
Please resend with Mark's comment. I would prefer that you even remove
the stack trace completely and make it more obvious in the commit
message itself that the NULL pointer occurs during suspend/resume.
Somehow that managed to get obscured in your current version. It is also
not helpful at all that there already exists a commit titled 'spi:
fsl-dspi: fix NULL pointer dereference' on this driver. This causes
confusion for backporters. Please provide a unique commit message.
Thanks.
On Thu, Oct 30, 2020 at 21:02PM, Mark Brown <[email protected]> wrote:
> -----Original Message-----
> From: Mark Brown <[email protected]>
> Sent: 2020??10??30?? 21:02
> To: Qiang Zhao <[email protected]>
> Cc: [email protected]; [email protected];
> [email protected]
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
>
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
>
> > [ 64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [ 64.756080] Call trace:
> > [ 64.758526] dspi_suspend+0x30/0x78
> > [ 64.762012] platform_pm_suspend+0x28/0x70
> > [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> > [ 64.770635] __device_suspend+0xf4/0x2f0
> > [ 64.774553] dpm_suspend+0xec/0x1e0
> > [ 64.778036] dpm_suspend_start+0x80/0xa0
> > [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> > [ 64.786743] pm_suspend+0x1e0/0x260
> > [ 64.790227] state_store+0x8c/0x118
> > [ 64.793712] kobj_attr_store+0x18/0x30
> > [ 64.797459] sysfs_kf_write+0x40/0x58
> > [ 64.801118] kernfs_fop_write+0x148/0x240
> > [ 64.805126] vfs_write+0xc0/0x230
> > [ 64.808436] ksys_write+0x6c/0x100
> > [ 64.811833] __arm64_sys_write+0x1c/0x28
> > [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> > [ 64.820541] do_el0_svc+0x24/0x90
> > [ 64.823853] el0_sync_handler+0x118/0x168
> > [ 64.827858] el0_sync+0x158/0x180
>
> Please think hard before including complete backtraces in upstream reports,
> they are very large and contain almost no useful information relative to their
> size so often obscure the relevant content in your message. If part of the
> backtrace is usefully illustrative (it often is for search engines if nothing else)
> then it's usually better to pull out the relevant sections.
Ok, will modified in next version.
Best Regards,
Qiang Zhao
On Thu, Oct 30, 2020 at 21:18PM +0800, Vladimir Oltean <[email protected]> wrote:
> -----Original Message-----
> From: Vladimir Oltean <[email protected]>
> Sent: 2020??10??30?? 21:18
> To: Qiang Zhao <[email protected]>
> Cc: [email protected]; [email protected];
> [email protected]
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
>
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> > From: Zhao Qiang <[email protected]>
> >
> > Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> > remove path"), this driver causes a kernel oops:
> >
> > [ 64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [ 64.756080] Call trace:
> > [ 64.758526] dspi_suspend+0x30/0x78
> > [ 64.762012] platform_pm_suspend+0x28/0x70
> >
> > This is because since this commit, the drivers private data point to
> > "dspi" instead of "ctlr", the codes in suspend and resume func were
> > not modified correspondly.
> >
> > Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove
> > path")
> > Signed-off-by: Zhao Qiang <[email protected]>
> > ---
>
> Reviewed-by: Vladimir Oltean <[email protected]>
>
> Please resend with Mark's comment. I would prefer that you even remove the
> stack trace completely and make it more obvious in the commit message itself
> that the NULL pointer occurs during suspend/resume.
> Somehow that managed to get obscured in your current version. It is also not
> helpful at all that there already exists a commit titled 'spi:
> fsl-dspi: fix NULL pointer dereference' on this driver. This causes confusion for
> backporters. Please provide a unique commit message.
> Thanks.
How about it looks like below:
spi: fsl-dspi: fix wrong pointer in suspend/resume
Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
remove path"), this driver causes a "NULL pointer dereference"
in dspi_suspend/resume.
This is because since this commit, the drivers private data point to
"dspi" instead of "ctlr", the codes in suspend and resume func were
not modified correspondly.
Best Regards,
Qiang Zhao
On Mon, Nov 02, 2020 at 02:19:28AM +0000, Qiang Zhao wrote:
> How about it looks like below:
>
> spi: fsl-dspi: fix wrong pointer in suspend/resume
>
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a "NULL pointer dereference"
> in dspi_suspend/resume.
> This is because since this commit, the drivers private data point to
> "dspi" instead of "ctlr", the codes in suspend and resume func were
> not modified correspondly.
Looks ok.
On Thu, 29 Oct 2020 16:40:35 +0800, Qiang Zhao wrote:
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
>
> [ 64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [ 64.756080] Call trace:
> [ 64.758526] dspi_suspend+0x30/0x78
> [ 64.762012] platform_pm_suspend+0x28/0x70
> [ 64.766107] dpm_run_callback.isra.19+0x24/0x70
> [ 64.770635] __device_suspend+0xf4/0x2f0
> [ 64.774553] dpm_suspend+0xec/0x1e0
> [ 64.778036] dpm_suspend_start+0x80/0xa0
> [ 64.781957] suspend_devices_and_enter+0x118/0x4f0
> [ 64.786743] pm_suspend+0x1e0/0x260
> [ 64.790227] state_store+0x8c/0x118
> [ 64.793712] kobj_attr_store+0x18/0x30
> [ 64.797459] sysfs_kf_write+0x40/0x58
> [ 64.801118] kernfs_fop_write+0x148/0x240
> [ 64.805126] vfs_write+0xc0/0x230
> [ 64.808436] ksys_write+0x6c/0x100
> [ 64.811833] __arm64_sys_write+0x1c/0x28
> [ 64.815753] el0_svc_common.constprop.3+0x68/0x170
> [ 64.820541] do_el0_svc+0x24/0x90
> [ 64.823853] el0_sync_handler+0x118/0x168
> [ 64.827858] el0_sync+0x158/0x180
>
> [...]
Applied to
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next
Thanks!
[1/1] spi: fsl-dspi: fix wrong pointer in suspend/resume
commit: 9bd77a9ce31dd242fece27219d14fbee5068dd85
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.
You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.
If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.
Please add any relevant lists and maintainers to the CCs when replying
to this mail.
Thanks,
Mark