From patchwork Sun Oct 28 15:51:17 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Khoruzhick X-Patchwork-Id: 1657921 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) by patchwork1.kernel.org (Postfix) with ESMTP id 3DE773FD4E for ; Sun, 28 Oct 2012 15:53:32 +0000 (UTC) Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.76 #1 (Red Hat Linux)) id 1TSV98-0007n3-TU; Sun, 28 Oct 2012 15:51:30 +0000 Received: from mail-lb0-f177.google.com ([209.85.217.177]) by merlin.infradead.org with esmtps (Exim 4.76 #1 (Red Hat Linux)) id 1TSV95-0007mp-IZ for linux-arm-kernel@lists.infradead.org; Sun, 28 Oct 2012 15:51:28 +0000 Received: by mail-lb0-f177.google.com with SMTP id gi11so2486044lbb.36 for ; Sun, 28 Oct 2012 08:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer; bh=fPWVVJFu11IeKD2UHP2yTsgLMgp+La9zu12aZsOZFD8=; b=do7hTTRf034hxRHLP42wTPN8QNgjnnzr5sn35MxzacJCT1WLgoqx/vRDN0MQQN+FPv 6kqlsHiWG60OUlLM+CscjTRgco3NnkWZ6PWb4PpjEtXy892mvrBXj78YzQyrXK53GoJj 8alIWNSvllm1e88jfbAHjNs1yCv686sALA6TAfcaS+nzRJENMBfgKgPBVyzpemrujdQj 9NDRs7uLIZaxaZqT9Tbp9/opvAlFbmK/i7SO3tBJzYwRwd/LSCiy8YKadKa2Kt3kQzt9 ITgFJpxu5il6DHiUkeFgrj3nhWtMS2Q13nhK9jSN9rs8uYjnRgSwflxwRoI3qwePliFX RJzw== Received: by 10.112.40.227 with SMTP id a3mr10211196lbl.91.1351439485501; Sun, 28 Oct 2012 08:51:25 -0700 (PDT) Received: from localhost.localdomain ([80.249.90.60]) by mx.google.com with ESMTPS id m9sm2280490lbz.16.2012.10.28.08.51.20 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 28 Oct 2012 08:51:24 -0700 (PDT) From: Vasily Khoruzhick To: Eric Miao , Russell King , Haojian Zhuang , Grant Likely , linux-arm-kernel@lists.infradead.org, spi-devel-general@lists.sourceforge.net Subject: [PATCH RESEND] spi-pxa2xx: fix memory corruption Date: Sun, 28 Oct 2012 18:51:17 +0300 Message-Id: <1351439477-9969-1-git-send-email-anarsoul@gmail.com> X-Mailer: git-send-email 1.7.12.4 X-Spam-Note: CRM114 invocation failed X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [209.85.217.177 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (anarsoul[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Cc: Vasily Khoruzhick X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: linux-arm-kernel-bounces@lists.infradead.org Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org pxa2xx_spi_probe allocates struct driver_data and null_dma_buf at same time via spi_alloc_master(), but then calculates null_dma_buf pointer incorrectly, and it causes memory corruption later if DMA usage is enabled. Signed-off-by: Vasily Khoruzhick --- Rebased against v3.7-rc2 drivers/spi/spi-pxa2xx.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c index dc25bee..b25fe27 100644 --- a/drivers/spi/spi-pxa2xx.c +++ b/drivers/spi/spi-pxa2xx.c @@ -106,6 +106,7 @@ struct driver_data { int rx_channel; int tx_channel; u32 *null_dma_buf; + u8 null_dma_buf_unaligned[16]; /* SSP register addresses */ void __iomem *ioaddr; @@ -1543,8 +1544,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) return -ENODEV; } - /* Allocate master with space for drv_data and null dma buffer */ - master = spi_alloc_master(dev, sizeof(struct driver_data) + 16); + /* Allocate master with space for drv_data */ + master = spi_alloc_master(dev, sizeof(struct driver_data)); if (!master) { dev_err(&pdev->dev, "cannot alloc spi_master\n"); pxa_ssp_free(ssp); @@ -1569,8 +1570,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) master->transfer = transfer; drv_data->ssp_type = ssp->type; - drv_data->null_dma_buf = (u32 *)ALIGN((u32)(drv_data + - sizeof(struct driver_data)), 8); + drv_data->null_dma_buf = + (u32 *)PTR_ALIGN(&drv_data->null_dma_buf_unaligned, 8); drv_data->ioaddr = ssp->mmio_base; drv_data->ssdr_physical = ssp->phys_base + SSDR;