From 0ed56252c9567351344cb7b5cff6140e1bcec943 Mon Sep 17 00:00:00 2001 From: Mark Brown Date: Thu, 9 May 2019 11:27:17 +0900 Subject: [PATCH 1/4] spi: Fix Raspberry Pi breakage This reverts commit c9ba7a16d0f1 (Release spi_res after finalizing message) which causes races during cleanup. Reported-by: Nicolas Saenz Julienne Signed-off-by: Mark Brown --- drivers/spi/spi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 5e75944ad5d1..8eb7460dd744 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -1181,10 +1181,10 @@ out: if (msg->status && ctlr->handle_err) ctlr->handle_err(ctlr, msg); - spi_finalize_current_message(ctlr); - spi_res_release(ctlr, msg); + spi_finalize_current_message(ctlr); + return ret; } From 5caaf29af5ca82d5da8bc1d0ad07d9e664ccf1d8 Mon Sep 17 00:00:00 2001 From: YueHaibing Date: Thu, 16 May 2019 15:56:56 +0800 Subject: [PATCH 2/4] spi: bitbang: Fix NULL pointer dereference in spi_unregister_master If spi_register_master fails in spi_bitbang_start because device_add failure, We should return the error code other than 0, otherwise calling spi_bitbang_stop may trigger NULL pointer dereference like this: BUG: KASAN: null-ptr-deref in __list_del_entry_valid+0x45/0xd0 Read of size 8 at addr 0000000000000000 by task syz-executor.0/3661 CPU: 0 PID: 3661 Comm: syz-executor.0 Not tainted 5.1.0+ #28 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0xa9/0x10e ? __list_del_entry_valid+0x45/0xd0 ? __list_del_entry_valid+0x45/0xd0 __kasan_report+0x171/0x18d ? __list_del_entry_valid+0x45/0xd0 kasan_report+0xe/0x20 __list_del_entry_valid+0x45/0xd0 spi_unregister_controller+0x99/0x1b0 spi_lm70llp_attach+0x3ae/0x4b0 [spi_lm70llp] ? 0xffffffffc1128000 ? klist_next+0x131/0x1e0 ? driver_detach+0x40/0x40 [parport] port_check+0x3b/0x50 [parport] bus_for_each_dev+0x115/0x180 ? subsys_dev_iter_exit+0x20/0x20 __parport_register_driver+0x1f0/0x210 [parport] ? 0xffffffffc1150000 do_one_initcall+0xb9/0x3b5 ? perf_trace_initcall_level+0x270/0x270 ? kasan_unpoison_shadow+0x30/0x40 ? kasan_unpoison_shadow+0x30/0x40 do_init_module+0xe0/0x330 load_module+0x38eb/0x4270 ? module_frob_arch_sections+0x20/0x20 ? kernel_read_file+0x188/0x3f0 ? find_held_lock+0x6d/0xd0 ? fput_many+0x1a/0xe0 ? __do_sys_finit_module+0x162/0x190 __do_sys_finit_module+0x162/0x190 ? __ia32_sys_init_module+0x40/0x40 ? __mutex_unlock_slowpath+0xb4/0x3f0 ? wait_for_completion+0x240/0x240 ? vfs_write+0x160/0x2a0 ? lockdep_hardirqs_off+0xb5/0x100 ? mark_held_locks+0x1a/0x90 ? do_syscall_64+0x14/0x2a0 do_syscall_64+0x72/0x2a0 entry_SYSCALL_64_after_hwframe+0x49/0xbe Reported-by: Hulk Robot Fixes: 702a4879ec33 ("spi: bitbang: Let spi_bitbang_start() take a reference to master") Signed-off-by: YueHaibing Reviewed-by: Geert Uytterhoeven Reviewed-by: Axel Lin Reviewed-by: Mukesh Ojha Signed-off-by: Mark Brown --- drivers/spi/spi-bitbang.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-bitbang.c b/drivers/spi/spi-bitbang.c index 4243e53f9f7b..e8fd95276315 100644 --- a/drivers/spi/spi-bitbang.c +++ b/drivers/spi/spi-bitbang.c @@ -415,7 +415,7 @@ int spi_bitbang_start(struct spi_bitbang *bitbang) if (ret) spi_master_put(master); - return 0; + return ret; } EXPORT_SYMBOL_GPL(spi_bitbang_start); From 44a042182cb1e9f7916e015c836967bf638b33c4 Mon Sep 17 00:00:00 2001 From: Christophe Leroy Date: Wed, 22 May 2019 11:00:36 +0000 Subject: [PATCH 3/4] spi: spi-fsl-spi: call spi_finalize_current_message() at the end spi_finalize_current_message() shall be called once all actions are finished, otherwise the last actions might step over a newly started transfer. Fixes: c592becbe704 ("spi: fsl-(e)spi: migrate to generic master queueing") Signed-off-by: Christophe Leroy Signed-off-by: Mark Brown --- drivers/spi/spi-fsl-spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c index b36ac6aa3b1f..7fbdaf066719 100644 --- a/drivers/spi/spi-fsl-spi.c +++ b/drivers/spi/spi-fsl-spi.c @@ -432,7 +432,6 @@ static int fsl_spi_do_one_msg(struct spi_master *master, } m->status = status; - spi_finalize_current_message(master); if (status || !cs_change) { ndelay(nsecs); @@ -440,6 +439,7 @@ static int fsl_spi_do_one_msg(struct spi_master *master, } fsl_spi_setup_transfer(spi, NULL); + spi_finalize_current_message(master); return 0; } From f3440d9a0da292dc4998d9393162fcfb996fd671 Mon Sep 17 00:00:00 2001 From: Super Liu Date: Wed, 22 May 2019 14:30:14 +0800 Subject: [PATCH 4/4] spi: abort spi_sync if failed to prepare_transfer_hardware There is no chance to wait spi message complete if failed to prepare_transfer_hardware(). Therefore, finalize this message and abort transfer with corresponding return status to release this block case. Logs: [17400.283005] c7 3267 PM: PM: suspend entry 2019-05-04 03:01:14.403097147 UTC [17400.283013] c7 3267 PM: suspend entry (deep) [17400.283016] c6 3267 PM: Syncing filesystems ... done. [17400.584395] c1 753 spi_geni 890000.spi: spi_geni_prepare_transfer_hardware:Error enabling SE resources -13 [17400.584404] c1 753 spi_master spi1: failed to prepare transfer hardware [17400.664611] c4 3267 PM: PM: suspend exit 2019-05-04 03:01:15.235273018 UTC Flow: __spi_sync@spi.c | if (status == 0) { | /* Push out the messages in the calling context if we | * can. | */ | if (ctlr->transfer == spi_queued_transfer) { | SPI_STATISTICS_INCREMENT_FIELD(&ctlr->statistics, | spi_sync_immediate); | SPI_STATISTICS_INCREMENT_FIELD(&spi->statistics, | spi_sync_immediate); | __spi_pump_messages(ctlr, false); | } | | wait_for_completion(&done); <== stuck here!!! | status = message->status; | } | message->context = NULL; | return status; | --> __spi_pump_messages@spi.c | if (!was_busy && ctlr->prepare_transfer_hardware) { | ret = ctlr->prepare_transfer_hardware(ctlr); | if (ret) { | dev_err(&ctlr->dev, | "failed to prepare transfer hardware\n"); | | if (ctlr->auto_runtime_pm) | pm_runtime_put(ctlr->dev.parent); | mutex_unlock(&ctlr->io_mutex); | return; | } | } | --> spi_geni_prepare_transfer_hardware@spi-geni-qcom.c | ret = pm_runtime_get_sync(mas->dev); | if (ret < 0) { | dev_err(mas->dev, | "%s:Error enabling SE resources %d\n", | __func__, ret); | pm_runtime_put_noidle(mas->dev); | goto exit_prepare_transfer_hardware; Signed-off-by: Super Liu Signed-off-by: Mark Brown --- drivers/spi/spi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 8eb7460dd744..5e4654032bfa 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -1307,10 +1307,15 @@ static void __spi_pump_messages(struct spi_controller *ctlr, bool in_kthread) ret = ctlr->prepare_transfer_hardware(ctlr); if (ret) { dev_err(&ctlr->dev, - "failed to prepare transfer hardware\n"); + "failed to prepare transfer hardware: %d\n", + ret); if (ctlr->auto_runtime_pm) pm_runtime_put(ctlr->dev.parent); + + ctlr->cur_msg->status = ret; + spi_finalize_current_message(ctlr); + mutex_unlock(&ctlr->io_mutex); return; }