Hi Geert, On Mon, Feb 17, 2014 at 07:02:09PM +0100, Geert Uytterhoeven wrote: > On Mon, Feb 17, 2014 at 6:20 PM, Maxime Ripard > <maxime.ripard@xxxxxxxxxxxxxxxxxx> wrote: > > When the generic implementation of the transfer_one_message callback was called > > by the spi_pump_messages function, if that transfer was to fail, the > > spi_finalize_current_message was called twice, once in > > spi_transfer_one_message, and one in spi_pump_messages. > > > > This was causing a null pointer dereference in the second call, because the > > first one set the ->cur_msg field to NULL. > > > > Since the SPI framework expect the transfer_one_message callback to call > > spi_finalize_current_message, we can remove it from spi_pump_messages, together > > with any dereference of the ->cur_msg pointer. > > > > Signed-off-by: Maxime Ripard <maxime.ripard@xxxxxxxxxxxxxxxxxx> > > Cc: stable@xxxxxxxxxxxxxxx > > Already fixed in v3.14-rc3 in 1f802f8249a0da536877842c43c7204064c4de8b > ("spi: Fix crash with double message finalisation on error handling"). > > There's no need to inform stable, as the problem was introduced in v3.14-rc1. Oops, totally missed that. Thanks! Maxime -- Maxime Ripard, Free Electrons Embedded Linux, Kernel and Android engineering http://free-electrons.com
Attachment:
signature.asc
Description: Digital signature