diff mbox series

spi: fsl-dspi: fix NULL pointer dereference

Message ID 20201029084035.19604-1-qiang.zhao@nxp.com (mailing list archive)
State Accepted
Commit 9bd77a9ce31dd242fece27219d14fbee5068dd85
Headers show
Series spi: fsl-dspi: fix NULL pointer dereference | expand

Commit Message

Qiang Zhao Oct. 29, 2020, 8:40 a.m. UTC 
From: Zhao Qiang <qiang.zhao@nxp.com>

Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
remove path"), this driver causes a kernel oops:

[   64.587431] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000020
[..]
[   64.756080] Call trace:
[   64.758526]  dspi_suspend+0x30/0x78
[   64.762012]  platform_pm_suspend+0x28/0x70
[   64.766107]  dpm_run_callback.isra.19+0x24/0x70
[   64.770635]  __device_suspend+0xf4/0x2f0
[   64.774553]  dpm_suspend+0xec/0x1e0
[   64.778036]  dpm_suspend_start+0x80/0xa0
[   64.781957]  suspend_devices_and_enter+0x118/0x4f0
[   64.786743]  pm_suspend+0x1e0/0x260
[   64.790227]  state_store+0x8c/0x118
[   64.793712]  kobj_attr_store+0x18/0x30
[   64.797459]  sysfs_kf_write+0x40/0x58
[   64.801118]  kernfs_fop_write+0x148/0x240
[   64.805126]  vfs_write+0xc0/0x230
[   64.808436]  ksys_write+0x6c/0x100
[   64.811833]  __arm64_sys_write+0x1c/0x28
[   64.815753]  el0_svc_common.constprop.3+0x68/0x170
[   64.820541]  do_el0_svc+0x24/0x90
[   64.823853]  el0_sync_handler+0x118/0x168
[   64.827858]  el0_sync+0x158/0x180

This is because since this commit, the drivers private data point to
"dspi" instead of "ctlr", the codes in suspend and resume func were
not modified correspondly.

Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
---
 drivers/spi/spi-fsl-dspi.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

Comments

Vladimir Oltean Oct. 29, 2020, 11:03 a.m. UTC | #1 
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> From: Zhao Qiang <qiang.zhao@nxp.com>
> 
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
> 
> [   64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [   64.756080] Call trace:
> [   64.758526]  dspi_suspend+0x30/0x78
> [   64.762012]  platform_pm_suspend+0x28/0x70
> [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> [   64.770635]  __device_suspend+0xf4/0x2f0
> [   64.774553]  dpm_suspend+0xec/0x1e0
> [   64.778036]  dpm_suspend_start+0x80/0xa0
> [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> [   64.786743]  pm_suspend+0x1e0/0x260
> [   64.790227]  state_store+0x8c/0x118
> [   64.793712]  kobj_attr_store+0x18/0x30
> [   64.797459]  sysfs_kf_write+0x40/0x58
> [   64.801118]  kernfs_fop_write+0x148/0x240
> [   64.805126]  vfs_write+0xc0/0x230
> [   64.808436]  ksys_write+0x6c/0x100
> [   64.811833]  __arm64_sys_write+0x1c/0x28
> [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> [   64.820541]  do_el0_svc+0x24/0x90
> [   64.823853]  el0_sync_handler+0x118/0x168
> [   64.827858]  el0_sync+0x158/0x180
> 
> This is because since this commit, the drivers private data point to
> "dspi" instead of "ctlr", the codes in suspend and resume func were
> not modified correspondly.
> 
> Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
> Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
> ---

Please update your tree.
https://github.com/torvalds/linux/commit/6e3837668e00fb914ac2b43158ef51b027ec385c
Qiang Zhao Oct. 30, 2020, 2:04 a.m. UTC | #2 
On Thu, Oct 29, 2020 at 19:03PM, Vladimir Oltean <olteanv@gmail.com> wrote:


> -----Original Message-----
> From: Vladimir Oltean <olteanv@gmail.com>
> Sent: 2020年10月29日 19:03
> To: Qiang Zhao <qiang.zhao@nxp.com>
> Cc: broonie@kernel.org; linux-spi@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
> 
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> > From: Zhao Qiang <qiang.zhao@nxp.com>
> >
> > Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> > remove path"), this driver causes a kernel oops:
> >
> > [   64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [   64.756080] Call trace:
> > [   64.758526]  dspi_suspend+0x30/0x78
> > [   64.762012]  platform_pm_suspend+0x28/0x70
> > [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> > [   64.770635]  __device_suspend+0xf4/0x2f0
> > [   64.774553]  dpm_suspend+0xec/0x1e0
> > [   64.778036]  dpm_suspend_start+0x80/0xa0
> > [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> > [   64.786743]  pm_suspend+0x1e0/0x260
> > [   64.790227]  state_store+0x8c/0x118
> > [   64.793712]  kobj_attr_store+0x18/0x30
> > [   64.797459]  sysfs_kf_write+0x40/0x58
> > [   64.801118]  kernfs_fop_write+0x148/0x240
> > [   64.805126]  vfs_write+0xc0/0x230
> > [   64.808436]  ksys_write+0x6c/0x100
> > [   64.811833]  __arm64_sys_write+0x1c/0x28
> > [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> > [   64.820541]  do_el0_svc+0x24/0x90
> > [   64.823853]  el0_sync_handler+0x118/0x168
> > [   64.827858]  el0_sync+0x158/0x180
> >
> > This is because since this commit, the drivers private data point to
> > "dspi" instead of "ctlr", the codes in suspend and resume func were
> > not modified correspondly.
> >
> > Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove
> > path")
> > Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
> > ---
> 
> Please update your tree.
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.c
> om%2Ftorvalds%2Flinux%2Fcommit%2F6e3837668e00fb914ac2b43158ef51b0
> 27ec385c&amp;data=04%7C01%7Cqiang.zhao%40nxp.com%7C50171bf65a5e
> 4f24e0c208d87bfa3fe9%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0
> %7C637395662023835048%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
> wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sda
> ta=NlmOj1SfvKu2V7nrSYF3lDji25xbP5PeDl1PcwlKyr4%3D&amp;reserved=0

I saw the patch, it just fix the issue when the kernel are booted up.
But there still have the issue when the driver suspend and resume. 

Best Regards
Qiang Zhao
Mark Brown Oct. 30, 2020, 1:02 p.m. UTC | #3 
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:

> [   64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [   64.756080] Call trace:
> [   64.758526]  dspi_suspend+0x30/0x78
> [   64.762012]  platform_pm_suspend+0x28/0x70
> [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> [   64.770635]  __device_suspend+0xf4/0x2f0
> [   64.774553]  dpm_suspend+0xec/0x1e0
> [   64.778036]  dpm_suspend_start+0x80/0xa0
> [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> [   64.786743]  pm_suspend+0x1e0/0x260
> [   64.790227]  state_store+0x8c/0x118
> [   64.793712]  kobj_attr_store+0x18/0x30
> [   64.797459]  sysfs_kf_write+0x40/0x58
> [   64.801118]  kernfs_fop_write+0x148/0x240
> [   64.805126]  vfs_write+0xc0/0x230
> [   64.808436]  ksys_write+0x6c/0x100
> [   64.811833]  __arm64_sys_write+0x1c/0x28
> [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> [   64.820541]  do_el0_svc+0x24/0x90
> [   64.823853]  el0_sync_handler+0x118/0x168
> [   64.827858]  el0_sync+0x158/0x180

Please think hard before including complete backtraces in upstream
reports, they are very large and contain almost no useful information
relative to their size so often obscure the relevant content in your
message. If part of the backtrace is usefully illustrative (it often is
for search engines if nothing else) then it's usually better to pull out
the relevant sections.
Vladimir Oltean Oct. 30, 2020, 1:14 p.m. UTC | #4 
On Fri, Oct 30, 2020 at 02:04:06AM +0000, Qiang Zhao wrote:
> I saw the patch, it just fix the issue when the kernel are booted up.
> But there still have the issue when the driver suspend and resume. 

I see, sorry, I only paid attention to the commit message since it
wasn't explicit that it is about the suspend/resume case. Let me look
closer at the patch.
Vladimir Oltean Oct. 30, 2020, 1:18 p.m. UTC | #5 
On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> From: Zhao Qiang <qiang.zhao@nxp.com>
> 
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
> 
> [   64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [   64.756080] Call trace:
> [   64.758526]  dspi_suspend+0x30/0x78
> [   64.762012]  platform_pm_suspend+0x28/0x70
> [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> [   64.770635]  __device_suspend+0xf4/0x2f0
> [   64.774553]  dpm_suspend+0xec/0x1e0
> [   64.778036]  dpm_suspend_start+0x80/0xa0
> [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> [   64.786743]  pm_suspend+0x1e0/0x260
> [   64.790227]  state_store+0x8c/0x118
> [   64.793712]  kobj_attr_store+0x18/0x30
> [   64.797459]  sysfs_kf_write+0x40/0x58
> [   64.801118]  kernfs_fop_write+0x148/0x240
> [   64.805126]  vfs_write+0xc0/0x230
> [   64.808436]  ksys_write+0x6c/0x100
> [   64.811833]  __arm64_sys_write+0x1c/0x28
> [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> [   64.820541]  do_el0_svc+0x24/0x90
> [   64.823853]  el0_sync_handler+0x118/0x168
> [   64.827858]  el0_sync+0x158/0x180
> 
> This is because since this commit, the drivers private data point to
> "dspi" instead of "ctlr", the codes in suspend and resume func were
> not modified correspondly.
> 
> Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove path")
> Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
> ---

Reviewed-by: Vladimir Oltean <olteanv@gmail.com>

Please resend with Mark's comment. I would prefer that you even remove
the stack trace completely and make it more obvious in the commit
message itself that the NULL pointer occurs during suspend/resume.
Somehow that managed to get obscured in your current version. It is also
not helpful at all that there already exists a commit titled 'spi:
fsl-dspi: fix NULL pointer dereference' on this driver. This causes
confusion for backporters. Please provide a unique commit message.
Thanks.
Qiang Zhao Nov. 2, 2020, 2:01 a.m. UTC | #6 
On Thu, Oct 30, 2020 at 21:02PM, Mark Brown <broonie@kernel.org> wrote:

> -----Original Message-----
> From: Mark Brown <broonie@kernel.org>
> Sent: 2020年10月30日 21:02
> To: Qiang Zhao <qiang.zhao@nxp.com>
> Cc: olteanv@gmail.com; linux-spi@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
> 
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> 
> > [   64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [   64.756080] Call trace:
> > [   64.758526]  dspi_suspend+0x30/0x78
> > [   64.762012]  platform_pm_suspend+0x28/0x70
> > [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> > [   64.770635]  __device_suspend+0xf4/0x2f0
> > [   64.774553]  dpm_suspend+0xec/0x1e0
> > [   64.778036]  dpm_suspend_start+0x80/0xa0
> > [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> > [   64.786743]  pm_suspend+0x1e0/0x260
> > [   64.790227]  state_store+0x8c/0x118
> > [   64.793712]  kobj_attr_store+0x18/0x30
> > [   64.797459]  sysfs_kf_write+0x40/0x58
> > [   64.801118]  kernfs_fop_write+0x148/0x240
> > [   64.805126]  vfs_write+0xc0/0x230
> > [   64.808436]  ksys_write+0x6c/0x100
> > [   64.811833]  __arm64_sys_write+0x1c/0x28
> > [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> > [   64.820541]  do_el0_svc+0x24/0x90
> > [   64.823853]  el0_sync_handler+0x118/0x168
> > [   64.827858]  el0_sync+0x158/0x180
> 
> Please think hard before including complete backtraces in upstream reports,
> they are very large and contain almost no useful information relative to their
> size so often obscure the relevant content in your message. If part of the
> backtrace is usefully illustrative (it often is for search engines if nothing else)
> then it's usually better to pull out the relevant sections.

Ok, will modified in next version.

Best Regards,
Qiang Zhao
Qiang Zhao Nov. 2, 2020, 2:19 a.m. UTC | #7 
On Thu, Oct 30, 2020 at 21:18PM +0800, Vladimir Oltean <olteanv@gmail.com> wrote:

> -----Original Message-----
> From: Vladimir Oltean <olteanv@gmail.com>
> Sent: 2020年10月30日 21:18
> To: Qiang Zhao <qiang.zhao@nxp.com>
> Cc: broonie@kernel.org; linux-spi@vger.kernel.org;
> linux-kernel@vger.kernel.org
> Subject: Re: [PATCH] spi: fsl-dspi: fix NULL pointer dereference
> 
> On Thu, Oct 29, 2020 at 04:40:35PM +0800, Qiang Zhao wrote:
> > From: Zhao Qiang <qiang.zhao@nxp.com>
> >
> > Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> > remove path"), this driver causes a kernel oops:
> >
> > [   64.587431] Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000000000020
> > [..]
> > [   64.756080] Call trace:
> > [   64.758526]  dspi_suspend+0x30/0x78
> > [   64.762012]  platform_pm_suspend+0x28/0x70
> >
> > This is because since this commit, the drivers private data point to
> > "dspi" instead of "ctlr", the codes in suspend and resume func were
> > not modified correspondly.
> >
> > Fixes: 530b5affc675 ("spi: fsl-dspi: fix use-after-free in remove
> > path")
> > Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
> > ---
> 
> Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
> 
> Please resend with Mark's comment. I would prefer that you even remove the
> stack trace completely and make it more obvious in the commit message itself
> that the NULL pointer occurs during suspend/resume.
> Somehow that managed to get obscured in your current version. It is also not
> helpful at all that there already exists a commit titled 'spi:
> fsl-dspi: fix NULL pointer dereference' on this driver. This causes confusion for
> backporters. Please provide a unique commit message.
> Thanks.

How about it looks like below:

    spi: fsl-dspi: fix wrong pointer in suspend/resume

    Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
    remove path"), this driver causes a "NULL pointer dereference"
    in dspi_suspend/resume.
    This is because since this commit, the drivers private data point to
    "dspi" instead of "ctlr", the codes in suspend and resume func were
    not modified correspondly.


Best Regards,
Qiang Zhao
Vladimir Oltean Nov. 2, 2020, 11:17 a.m. UTC | #8 
On Mon, Nov 02, 2020 at 02:19:28AM +0000, Qiang Zhao wrote:
> How about it looks like below:
> 
>     spi: fsl-dspi: fix wrong pointer in suspend/resume
> 
>     Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
>     remove path"), this driver causes a "NULL pointer dereference"
>     in dspi_suspend/resume.
>     This is because since this commit, the drivers private data point to
>     "dspi" instead of "ctlr", the codes in suspend and resume func were
>     not modified correspondly.

Looks ok.
Mark Brown Nov. 4, 2020, 8:43 p.m. UTC | #9 
On Thu, 29 Oct 2020 16:40:35 +0800, Qiang Zhao wrote:
> Since commit 530b5affc675 ("spi: fsl-dspi: fix use-after-free in
> remove path"), this driver causes a kernel oops:
> 
> [   64.587431] Unable to handle kernel NULL pointer dereference at
> virtual address 0000000000000020
> [..]
> [   64.756080] Call trace:
> [   64.758526]  dspi_suspend+0x30/0x78
> [   64.762012]  platform_pm_suspend+0x28/0x70
> [   64.766107]  dpm_run_callback.isra.19+0x24/0x70
> [   64.770635]  __device_suspend+0xf4/0x2f0
> [   64.774553]  dpm_suspend+0xec/0x1e0
> [   64.778036]  dpm_suspend_start+0x80/0xa0
> [   64.781957]  suspend_devices_and_enter+0x118/0x4f0
> [   64.786743]  pm_suspend+0x1e0/0x260
> [   64.790227]  state_store+0x8c/0x118
> [   64.793712]  kobj_attr_store+0x18/0x30
> [   64.797459]  sysfs_kf_write+0x40/0x58
> [   64.801118]  kernfs_fop_write+0x148/0x240
> [   64.805126]  vfs_write+0xc0/0x230
> [   64.808436]  ksys_write+0x6c/0x100
> [   64.811833]  __arm64_sys_write+0x1c/0x28
> [   64.815753]  el0_svc_common.constprop.3+0x68/0x170
> [   64.820541]  do_el0_svc+0x24/0x90
> [   64.823853]  el0_sync_handler+0x118/0x168
> [   64.827858]  el0_sync+0x158/0x180
> 
> [...]

Applied to

   https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next

Thanks!

[1/1] spi: fsl-dspi: fix wrong pointer in suspend/resume
      commit: 9bd77a9ce31dd242fece27219d14fbee5068dd85

All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus during
the next merge window (or sooner if it is a bug fix), however if
problems are discovered then the patch may be dropped or reverted.

You may get further e-mails resulting from automated or manual testing
and review of the tree, please engage with people reporting problems and
send followup patches addressing any issues that are reported if needed.

If any updates are required or you are submitting further changes they
should be sent as incremental updates against current git, existing
patches will not be replaced.

Please add any relevant lists and maintainers to the CCs when replying
to this mail.

Thanks,
Mark
diff mbox series

Patch

diff --git a/drivers/spi/spi-fsl-dspi.c b/drivers/spi/spi-fsl-dspi.c
index 3967afa..1a08c1d 100644
--- a/drivers/spi/spi-fsl-dspi.c
+++ b/drivers/spi/spi-fsl-dspi.c
@@ -1080,12 +1080,11 @@  MODULE_DEVICE_TABLE(of, fsl_dspi_dt_ids);
 #ifdef CONFIG_PM_SLEEP
 static int dspi_suspend(struct device *dev)
 {
-	struct spi_controller *ctlr = dev_get_drvdata(dev);
-	struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+	struct fsl_dspi *dspi = dev_get_drvdata(dev);
 
 	if (dspi->irq)
 		disable_irq(dspi->irq);
-	spi_controller_suspend(ctlr);
+	spi_controller_suspend(dspi->ctlr);
 	clk_disable_unprepare(dspi->clk);
 
 	pinctrl_pm_select_sleep_state(dev);
@@ -1095,8 +1094,7 @@  static int dspi_suspend(struct device *dev)
 
 static int dspi_resume(struct device *dev)
 {
-	struct spi_controller *ctlr = dev_get_drvdata(dev);
-	struct fsl_dspi *dspi = spi_controller_get_devdata(ctlr);
+	struct fsl_dspi *dspi = dev_get_drvdata(dev);
 	int ret;
 
 	pinctrl_pm_select_default_state(dev);
@@ -1104,7 +1102,7 @@  static int dspi_resume(struct device *dev)
 	ret = clk_prepare_enable(dspi->clk);
 	if (ret)
 		return ret;
-	spi_controller_resume(ctlr);
+	spi_controller_resume(dspi->ctlr);
 	if (dspi->irq)
 		enable_irq(dspi->irq);