From patchwork Sun Jul 10 15:18:19 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Khoruzhick X-Patchwork-Id: 961482 Received: from lists.sourceforge.net (lists.sourceforge.net [216.34.181.88]) by demeter2.kernel.org (8.14.4/8.14.4) with ESMTP id p6AFTUs9017928 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 10 Jul 2011 15:29:52 GMT Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Qfvme-0008MG-Fo; Sun, 10 Jul 2011 15:19:00 +0000 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1Qfvmd-0008MB-Hl for spi-devel-general@lists.sourceforge.net; Sun, 10 Jul 2011 15:18:59 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.214.47 as permitted sender) client-ip=209.85.214.47; envelope-from=anarsoul@gmail.com; helo=mail-bw0-f47.google.com; Received: from mail-bw0-f47.google.com ([209.85.214.47]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1Qfvmc-0004lL-OE for spi-devel-general@lists.sourceforge.net; Sun, 10 Jul 2011 15:18:59 +0000 Received: by bwf20 with SMTP id 20so4336190bwf.34 for ; Sun, 10 Jul 2011 08:18:52 -0700 (PDT) Received: by 10.205.65.68 with SMTP id xl4mr1236503bkb.303.1310311132254; Sun, 10 Jul 2011 08:18:52 -0700 (PDT) Received: from localhost.localdomain ([212.98.182.62]) by mx.google.com with ESMTPS id k5sm770630bka.38.2011.07.10.08.18.49 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 10 Jul 2011 08:18:51 -0700 (PDT) From: Vasily Khoruzhick To: Marek Vasut , "Russell King - ARM Linux" , linux-arm-kernel@lists.infradead.org, spi-devel-general@lists.sourceforge.net, Eric Miao , David Brownell , Grant Likely Subject: [PATCH v3] pxa2xx_spi: fix memory corruption Date: Sun, 10 Jul 2011 18:18:19 +0300 Message-Id: <1310311099-24638-1-git-send-email-anarsoul@gmail.com> X-Mailer: git-send-email 1.7.5.rc3 In-Reply-To: <201107101609.31405.anarsoul@gmail.com> References: <201107101609.31405.anarsoul@gmail.com> X-Spam-Score: -1.1 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (anarsoul[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.5 AWL AWL: From: address is in the auto white-list X-Headers-End: 1Qfvmc-0004lL-OE Cc: Vasily Khoruzhick X-BeenThere: spi-devel-general@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: Linux SPI core/device drivers discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: spi-devel-general-bounces@lists.sourceforge.net X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.6 (demeter2.kernel.org [140.211.167.43]); Sun, 10 Jul 2011 15:29:52 +0000 (UTC) pxa2xx_spi_probe allocates struct driver_data and null_dma_buf at same time via spi_alloc_master(), but then calculates null_dma_buf pointer incorrectly, and it causes memory corruption later if DMA usage is enabled. Signed-off-by: Vasily Khoruzhick --- v2: - add u8 __null_dma_buf[16] to the end of driver_data structure and use it as null_dma_buf after alignment. - use PTR_ALIGN instead of ALIGN v3: - drop (u8 *) cast, use & operator instead, change array name drivers/spi/pxa2xx_spi.c | 9 +++++---- 1 files changed, 5 insertions(+), 4 deletions(-) diff --git a/drivers/spi/pxa2xx_spi.c b/drivers/spi/pxa2xx_spi.c index dc25bee..b25fe27 100644 --- a/drivers/spi/pxa2xx_spi.c +++ b/drivers/spi/pxa2xx_spi.c @@ -106,6 +106,7 @@ struct driver_data { int rx_channel; int tx_channel; u32 *null_dma_buf; + u8 null_dma_buf_unaligned[16]; /* SSP register addresses */ void __iomem *ioaddr; @@ -1543,8 +1544,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) return -ENODEV; } - /* Allocate master with space for drv_data and null dma buffer */ - master = spi_alloc_master(dev, sizeof(struct driver_data) + 16); + /* Allocate master with space for drv_data */ + master = spi_alloc_master(dev, sizeof(struct driver_data)); if (!master) { dev_err(&pdev->dev, "cannot alloc spi_master\n"); pxa_ssp_free(ssp); @@ -1569,8 +1570,8 @@ static int __devinit pxa2xx_spi_probe(struct platform_device *pdev) master->transfer = transfer; drv_data->ssp_type = ssp->type; - drv_data->null_dma_buf = (u32 *)ALIGN((u32)(drv_data + - sizeof(struct driver_data)), 8); + drv_data->null_dma_buf = + (u32 *)PTR_ALIGN(&drv_data->null_dma_buf_unaligned, 8); drv_data->ioaddr = ssp->mmio_base; drv_data->ssdr_physical = ssp->phys_base + SSDR;