On Mon, Feb 01, 2016 at 03:39:23PM -0700, Joshua Henderson wrote: > From: Purna Chandra Mandal <purna.mandal@xxxxxxxxxxxxx> > There is a BUG in the way SPI_MASTER_MUST_RX/TX is implemented which can create Bug is a WORD like any other WORD... > (1) spi core assigns dummy_rx buffer to transfer.rx_buf member and > (2) passes it to lower layer for handling. and lower layer completed the > transfer/message in due time. > (3) spi core deletes the buffer if no other requests pending, but > 'transfer.rx_buf' continues to hold *stale* dummy buffer pointer. > (4) If spi client driver (like mmc_spi) reuses the same transfer structure and > don't touch .rx_buf to NULL > mmc_spi doesn't reset the ptr unless data transfer direction changes in future > transaction(s). spi core will skip assigning new dummy buffer and underlying > master driver will treat .rx_buf as legitimate ptr. This will result into memory > corruption due to usage of free'd ptr. It's not clear to me that this is the best fix, it's causing problems to free the transfer but we could also fix that by just not freeing the dummy data once we realize we need it unless the adaptor is freed. That should also be more efficient since it saves us having to allocate and free things.
Attachment:
signature.asc
Description: PGP signature
