From patchwork Tue Dec 15 00:30:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Doug Anderson X-Patchwork-Id: 11973477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.8 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DAC9C2BB40 for ; Tue, 15 Dec 2020 00:32:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0AE6B22258 for ; Tue, 15 Dec 2020 00:32:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726769AbgLOAcU (ORCPT ); Mon, 14 Dec 2020 19:32:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725874AbgLOAcQ (ORCPT ); Mon, 14 Dec 2020 19:32:16 -0500 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6412AC061793 for ; Mon, 14 Dec 2020 16:31:36 -0800 (PST) Received: by mail-pf1-x441.google.com with SMTP id h186so2901249pfe.0 for ; Mon, 14 Dec 2020 16:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=f7OsK3yyie83mFsyxOZLO7U5mEgOhtDjdGrqc4pskdY=; b=JnvNAr6HasYZClYsYYu9MLeQeCjXeoPbPpVc46mqEhnAHt3uYnri6YD1gJbaIRgMdh gz8XbvbAkQyyapKi24Hp1xZZaMI0FvmEbKBWXi7O/6gO2SNVQ4YIsF67pC83F0Rc4DQq lZUEXHhXNi5FxihFuTrxm+EiltW5RkVv651xk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=f7OsK3yyie83mFsyxOZLO7U5mEgOhtDjdGrqc4pskdY=; b=QA54YYSsjTdUdUAAXhr0YEEe/OIYfCgqmaYhIyIUY85tjVqDTe7ebgunlIQWtiKMN0 GT/XtWynf7Wund3UB6EmZ3uzFX0QILAwB/sS4eI/YWRf2XoBoNcJUHqRLl6onCUwn8gN KTvdcSwI9P56YD7cBCSQuzGELecdeUPNZ2I8cdwbNB3eWEWY48OEMf/LrK7OOOfQRhZU ecIDfaNzGIiVko5x+mVO/dc3FpW/L7HTRS8xNPNUBpoXon1r7HDH0g0bVwba3M/F9kQt s41nRfokXeFiCJHxDWp4FNaUnI9nxU0fVR1guI1a+fPlIXf0P91bWzSji9I5FQo6ze03 qFSg== X-Gm-Message-State: AOAM53174d9MTG274ZEVC2mOFNOrww/zwTW7PrlBPjUfwY1kZz4DXjcU qrdZ5FJbdO3C2b0XzAOEty9jNA== X-Google-Smtp-Source: ABdhPJxMxgfSijCu0l6b2bbht2ujt9jAUUdhAg1vdv1oL4+PPMHAhJCCJICFQvVUud5ShcBzteE3xg== X-Received: by 2002:a62:8895:0:b029:19e:92ec:6886 with SMTP id l143-20020a6288950000b029019e92ec6886mr15472290pfd.12.1607992295840; Mon, 14 Dec 2020 16:31:35 -0800 (PST) Received: from tictac2.mtv.corp.google.com ([2620:15c:202:1:42b0:34ff:fe3d:58e6]) by smtp.gmail.com with ESMTPSA id 77sm20412834pfx.156.2020.12.14.16.31.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Dec 2020 16:31:35 -0800 (PST) From: Douglas Anderson To: Mark Brown Cc: msavaliy@qti.qualcomm.com, akashast@codeaurora.org, Stephen Boyd , Roja Rani Yarubandi , Douglas Anderson , Alok Chauhan , Andy Gross , Bjorn Andersson , Girish Mahadevan , linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, linux-spi@vger.kernel.org Subject: [PATCH 1/2] spi: spi-geni-qcom: Fix geni_spi_isr() NULL dereference in timeout case Date: Mon, 14 Dec 2020 16:30:18 -0800 Message-Id: <20201214162937.1.I99ee04f0cb823415df59bd4f550d6ff5756e43d6@changeid> X-Mailer: git-send-email 2.29.2.684.gfbc64c5ab5-goog MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org In commit 7ba9bdcb91f6 ("spi: spi-geni-qcom: Don't keep a local state variable") we changed handle_fifo_timeout() so that we set "mas->cur_xfer" to NULL to make absolutely sure that we don't mess with the buffers from the previous transfer in the timeout case. Unfortunately, this caused the IRQ handler to dereference NULL in some cases. One case: CPU0 CPU1 ---- ---- setup_fifo_xfer() ... geni_se_setup_m_cmd() spin_unlock_irq()