Am 05.02.19 um 13:09 schrieb Wolfram Sang:
> On Thu, Dec 27, 2018 at 04:42:25PM +0100, Paul Kocialkowski wrote:
>> The driver's interrupt handler checks whether a message is currently
>> being handled with the curr_msg pointer. When it is NULL, the interrupt
>> is considered to be unexpected. Similarly, the i2c_start_transfer
>> routine checks for the remaining number of messages to handle in
>> num_msgs.
>>
>> However, these values are never cleared and always keep the message and
>> number relevant to the latest transfer (which might be done already and
>> the underlying message memory might have been freed).
>>
>> When an unexpected interrupt hits with the DONE bit set, the isr will
>> then try to access the flags field of the curr_msg structure, leading
>> to a fatal page fault.
>>
>> The msg_buf and msg_buf_remaining fields are also never cleared at the
>> end of the transfer, which can lead to similar pitfalls.
>>
>> Fix these issues by introducing a cleanup function and always calling
>> it after a transfer is finished.
>>
>> Fixes: e2474541032d ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes")
>> Signed-off-by: Paul Kocialkowski <paul.kocialkowski@xxxxxxxxxxx>
> Stefan, Florian, any comment about this patch?
Acked-by: Stefan Wahren <stefan.wahren@xxxxxxxx>
Thanks
