From patchwork Sun May 10 07:50:45 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Martin Sperl X-Patchwork-Id: 6371301 Return-Path: X-Original-To: patchwork-linux-spi@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 570A2BEEE1 for ; Sun, 10 May 2015 07:51:03 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4896220389 for ; Sun, 10 May 2015 07:51:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 49DB620394 for ; Sun, 10 May 2015 07:51:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752178AbbEJHu7 (ORCPT ); Sun, 10 May 2015 03:50:59 -0400 Received: from 212-186-180-163.dynamic.surfer.at ([212.186.180.163]:50314 "EHLO cgate.sperl.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752043AbbEJHu7 (ORCPT ); Sun, 10 May 2015 03:50:59 -0400 Received: from raspb.intern.sperl.org (account martin@sperl.org [10.10.10.32] verified) by sperl.org (CommuniGate Pro SMTP 6.1.2) with ESMTPSA id 6321631; Sun, 10 May 2015 07:50:55 +0000 From: kernel@martin.sperl.org To: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= , Mark Brown , linux-spi@vger.kernel.org Cc: Martin Sperl Subject: [PATCH] spi: fix race freeing dummy_tx/rx before it is unmapped Date: Sun, 10 May 2015 07:50:45 +0000 Message-Id: <1431244245-2880-1-git-send-email-kernel@martin.sperl.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <20150508221309.GK2761@sirena.org.uk> References: <20150508221309.GK2761@sirena.org.uk> MIME-Version: 1.0 Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Martin Sperl Fix a race (with some kernel configurations) where a queued master->pump_messages runs and frees dummy_tx/rx before spi_unmap_msg is running (or is finished). This results in the following messages: BUG: Bad page state in process page:db7ba030 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200(arch_1) page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set ... Reported-by: Noralf Trønnes Suggested-by: Noralf Trønnes Tested-by: Noralf Trønnes Signed-off-by: Martin Sperl --- drivers/spi/spi.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) Note that I am not 100% sure if the spinlock is really needed to read cur_msg, but as it was there I left it as is and just moved the scheduling and assignments down after sg_unmap and unprepare_message. Noralf also sugested removing the first locking and my testing shows that I was unable to trigger any issues with locking removed for the assignemnt of mesg but there still may be a possibilty... Also note that if you leave cur_message = NULL assignement on top, then there is another race were other drivers submitting spi_messages and thus triggering spi_pump while we still are cleaning up the old message. This is because pump_message stops if it finds cur_message to be still asigned. Tested with the following devices on the same bus and all active: * 2x mcp2515 * 1x enc28j60 * 1x fb_st7735r Communication on reporting/testing by Noralf can get reviewed at: https://github.com/raspberrypi/linux/issues/959#issuecomment-100391599 and https://github.com/msperl/spi-bcm2835/issues/13#issuecomment-87210385 diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 50910d8..d35c1a1 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -988,9 +988,6 @@ void spi_finalize_current_message(struct spi_master *master) spin_lock_irqsave(&master->queue_lock, flags); mesg = master->cur_msg; - master->cur_msg = NULL; - - queue_kthread_work(&master->kworker, &master->pump_messages); spin_unlock_irqrestore(&master->queue_lock, flags); spi_unmap_msg(master, mesg); @@ -1003,9 +1000,13 @@ void spi_finalize_current_message(struct spi_master *master) } } - trace_spi_message_done(mesg); - + spin_lock_irqsave(&master->queue_lock, flags); + master->cur_msg = NULL; master->cur_msg_prepared = false; + queue_kthread_work(&master->kworker, &master->pump_messages); + spin_unlock_irqrestore(&master->queue_lock, flags); + + trace_spi_message_done(mesg); mesg->state = NULL; if (mesg->complete)