From patchwork Sun Jul 10 12:09:22 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Khoruzhick X-Patchwork-Id: 961182 Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6ACHTES016374 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 10 Jul 2011 12:17:49 GMT Received: from canuck.infradead.org ([2001:4978:20e::1]) by merlin.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux)) id 1Qfswn-0001Vv-0x; Sun, 10 Jul 2011 12:17:17 +0000 Received: from localhost ([127.0.0.1] helo=canuck.infradead.org) by canuck.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux)) id 1Qfswm-000688-Mh; Sun, 10 Jul 2011 12:17:16 +0000 Received: from mail-bw0-f49.google.com ([209.85.214.49]) by canuck.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux)) id 1Qfswj-00067p-8z for linux-arm-kernel@lists.infradead.org; Sun, 10 Jul 2011 12:17:14 +0000 Received: by bwf12 with SMTP id 12so3238873bwf.36 for ; Sun, 10 Jul 2011 05:17:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references; bh=j25fIa3VqeqHeBcPyTo8tPplIY5Ur9UtYdnKNqckeiI=; b=bVNiA9C3tx0wSJZBr1KA1q/loLZ+Pk1hnmsxaV0dg1HAodLxRHFTNLMEg20nVOJ6/y d6oZhCxS95jsa4qYU/JAZurqtqE2i+3/1RdN0lrTatp/xbRBUYN1nfCyC/wgkGi8nd4Q pLAMLn5RvqaGwWMFHWiR5h4XaMwOHCwpl+qSg= Received: by 10.204.48.13 with SMTP id p13mr1084633bkf.220.1310300228399; Sun, 10 Jul 2011 05:17:08 -0700 (PDT) Received: from localhost.localdomain ([212.98.182.62]) by mx.google.com with ESMTPS id z16sm738968bkd.62.2011.07.10.05.17.05 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 10 Jul 2011 05:17:07 -0700 (PDT) From: Vasily Khoruzhick To: Marek Vasut , "Russell King - ARM Linux" , linux-arm-kernel@lists.infradead.org, spi-devel-general@lists.sourceforge.net, Eric Miao Subject: [PATCH v2] pxa2xx_spi: fix memory corruption Date: Sun, 10 Jul 2011 15:09:22 +0300 Message-Id: <1310299762-20079-1-git-send-email-anarsoul@gmail.com> X-Mailer: git-send-email 1.7.5.rc3 In-Reply-To: <201107100957.06377.marek.vasut@gmail.com> References: <201107100957.06377.marek.vasut@gmail.com> X-CRM114-Version: 20090807-BlameThorstenAndJenny ( TRE 0.7.6 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20110710_081713_598109_51A7CD37 X-CRM114-Status: GOOD ( 16.51 ) X-Spam-Score: -0.8 (/) X-Spam-Report: SpamAssassin version 3.3.1 on canuck.infradead.org summary: Content analysis details: (-0.8 points) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (anarsoul[at]gmail.com) -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [209.85.214.49 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Cc: Vasily Khoruzhick X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-arm-kernel-bounces@lists.infradead.org Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Sun, 10 Jul 2011 12:17:50 +0000 (UTC) pxa2xx_spi_probe allocates struct driver_data and null_dma_buf at same time via spi_alloc_master(), but then calculates null_dma_buf pointer incorrectly, and it causes memory corruption later if DMA usage is enabled. Signed-off-by: Vasily Khoruzhick --- v2: - add u8 __null_dma_buf[16] to the end of driver_data structure and use it as null_dma_buf after alignment. - use PTR_ALIGN instead of ALIGN drivers/spi/pxa2xx_spi.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/spi/pxa2xx_spi.c b/drivers/spi/pxa2xx_spi.c index dc25bee..25358cd 100644 --- a/drivers/spi/pxa2xx_spi.c +++ b/drivers/spi/pxa2xx_spi.c @@ -106,6 +106,7 @@ struct driver_data { int rx_channel; int tx_channel; u32 *null_dma_buf; + u8 __null_dma_buf[16]; /* SSP register addresses */ void __iomem *ioaddr; @@ -1543,8 +1544,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) return -ENODEV; } - /* Allocate master with space for drv_data and null dma buffer */ - master = spi_alloc_master(dev, sizeof(struct driver_data) + 16); + /* Allocate master with space for drv_data */ + master = spi_alloc_master(dev, sizeof(struct driver_data)); if (!master) { dev_err(&pdev->dev, "cannot alloc spi_master\n"); pxa_ssp_free(ssp); @@ -1569,8 +1570,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) master->transfer = transfer; drv_data->ssp_type = ssp->type; - drv_data->null_dma_buf = (u32 *)ALIGN((u32)(drv_data + - sizeof(struct driver_data)), 8); + drv_data->null_dma_buf = + (u32 *)PTR_ALIGN((u8 *)drv_data->__null_dma_buf, 8); drv_data->ioaddr = ssp->mmio_base; drv_data->ssdr_physical = ssp->phys_base + SSDR;