From patchwork Fri Sep 5 15:04:26 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Krzysztof Kozlowski X-Patchwork-Id: 4852741 Return-Path: X-Original-To: patchwork-dmaengine@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id DAB829F2EC for ; Fri, 5 Sep 2014 15:05:48 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 9860520109 for ; Fri, 5 Sep 2014 15:05:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 275562021A for ; Fri, 5 Sep 2014 15:05:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751332AbaIEPEs (ORCPT ); Fri, 5 Sep 2014 11:04:48 -0400 Received: from mailout4.w1.samsung.com ([210.118.77.14]:14431 "EHLO mailout4.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751282AbaIEPEl (ORCPT ); Fri, 5 Sep 2014 11:04:41 -0400 Received: from eucpsbgm1.samsung.com (unknown [203.254.199.244]) by mailout4.w1.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0NBF00641OOFSM20@mailout4.w1.samsung.com>; Fri, 05 Sep 2014 16:07:27 +0100 (BST) X-AuditID: cbfec7f4-b7f156d0000063c7-46-5409d10645ac Received: from eusync1.samsung.com ( [203.254.199.211]) by eucpsbgm1.samsung.com (EUCPMTA) with SMTP id FB.23.25543.601D9045; Fri, 05 Sep 2014 16:04:38 +0100 (BST) Received: from AMDC1943.digital.local ([106.116.151.171]) by eusync1.samsung.com (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug 10 2011)) with ESMTPA id <0NBF00FSEOJL2G20@eusync1.samsung.com>; Fri, 05 Sep 2014 16:04:38 +0100 (BST) From: Krzysztof Kozlowski To: Dan Williams , Vinod Koul , Lars-Peter Clausen , Michal Simek , Dan Carpenter , dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Kyungmin Park , Marek Szyprowski , Bartlomiej Zolnierkiewicz , Krzysztof Kozlowski , stable@vger.kernel.org Subject: [PATCH 3/3] dmaengine: pl330: Fix NULL pointer dereference on driver unbind Date: Fri, 05 Sep 2014 17:04:26 +0200 Message-id: <1409929466-29506-3-git-send-email-k.kozlowski@samsung.com> X-Mailer: git-send-email 1.9.1 In-reply-to: <1409929466-29506-1-git-send-email-k.kozlowski@samsung.com> References: <1409929466-29506-1-git-send-email-k.kozlowski@samsung.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMLMWRmVeSWpSXmKPExsVy+t/xy7psFzlDDDoPCVpsnLGe1eL1v+ks FtOnXmC0WD31L5D7wtDibNMbdoslk+ezWlzeNYfNYu2Ru+wW715GWCzY+IjR4mXffhYHHo/F e14yeSx5c4jV4+PTWywefVtWMXp83iTnsffzb5YAtigum5TUnMyy1CJ9uwSujD+9H9gLFqtV PDx+nbWB8aV8FyMnh4SAicS6y/0sELaYxIV769m6GLk4hASWMkoc+dbACOH0MUk837GMFaSK TcBYYvPyJWBVIgKtTBIX101nAXGYBe4ySjTffQ/UwsEhLBAm8X+6H0gDi4CqxNU/18BW8Aq4 S+w59pcJYp2cxMljk8GGcgp4SDyb/IAZxBYCqlnQcZ9tAiPvAkaGVYyiqaXJBcVJ6bmGesWJ ucWleel6yfm5mxghAfllB+PiY1aHGAU4GJV4eF8YcYYIsSaWFVfmHmKU4GBWEuG13Q0U4k1J rKxKLcqPLyrNSS0+xMjEwSnVwCglMNPQmTl/mWuUjsHp5fM2WZx+/Ej9M/sh4/lrymMmdRyc sNV3zYlL7E853e8YKd1qipzd33Ga00GT1dFmn8CuK2uqjzBufdh7+e897tPtLOaz9if6Jzs/ ujwhNUBe+LKGTMTfQEUWncYjqcESmz7/zKvbJfpuvubVWoVjTUxyn8re/j7Wd0yJpTgj0VCL uag4EQC+iadFJgIAAA== Sender: dmaengine-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: dmaengine@vger.kernel.org X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Fix a NULL pointer dereference after unbinding the driver, if channel resources were not yet allocated (no call to pl330_alloc_chan_resources()): $ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind [ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null) [ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c [ 13.622537] pgd = ee284000 [ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000 [ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [ 13.636859] Modules linked in: [ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420 [ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000 [ 13.654589] PC is at _stop+0x8/0x2c8 [ 13.658131] LR is at pl330_control+0x70/0x2e8 [ 13.662468] pc : [] lr : [] psr: 60000093 [ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70 [ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000 [ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800 [ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000 [ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user [ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015 [ 13.705085] Process sh (pid: 1, stack limit = 0xee888240) [ 13.710466] Stack: (0xee889e58 to 0xee88a000) [ 13.714808] 9e40: 00000002 eeab6800 [ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c [ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8 [ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e [ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694 [ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec [ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4 [ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e [ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003 [ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4 [ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4 [ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000 [ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70 [ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0 [ 13.829058] [] (_stop) from [] (pl330_control+0x70/0x2e8) [ 13.836165] [] (pl330_control) from [] (pl330_remove+0xb0/0xdc) [ 13.843800] [] (pl330_remove) from [] (amba_remove+0x24/0xc0) [ 13.851272] [] (amba_remove) from [] (__device_release_driver+0x70/0xc4) [ 13.859685] [] (__device_release_driver) from [] (device_release_driver+0x1c/0x28) [ 13.868971] [] (device_release_driver) from [] (unbind_store+0x58/0x90) [ 13.877303] [] (unbind_store) from [] (drv_attr_store+0x20/0x2c) [ 13.885036] [] (drv_attr_store) from [] (sysfs_kf_write+0x44/0x48) [ 13.892928] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xc0/0x17c) [ 13.901090] [] (kernfs_fop_write) from [] (vfs_write+0xa0/0x1a8) [ 13.908812] [] (vfs_write) from [] (SyS_write+0x40/0x8c) [ 13.915850] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) [ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c) [ 13.929467] ---[ end trace 10064e15a5929cf8 ]--- Terminate the thread and free channel resource only if channel resources were allocated (thread is not NULL). Signed-off-by: Krzysztof Kozlowski Cc: Fixes: b3040e40675e ("DMA: PL330: Add dma api driver") Reviewed-by: Lars-Peter Clausen --- drivers/dma/pl330.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c index 04c2f39227f1..66e89f04504c 100644 --- a/drivers/dma/pl330.c +++ b/drivers/dma/pl330.c @@ -2785,8 +2785,10 @@ static int pl330_remove(struct amba_device *adev) list_del(&pch->chan.device_node); /* Flush the channel */ - pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); - pl330_free_chan_resources(&pch->chan); + if (pch->thread) { + pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); + pl330_free_chan_resources(&pch->chan); + } } pl330_del(pl330);