From 4609a179c97ae60fef173547a9bbb214359808ce Mon Sep 17 00:00:00 2001 From: Russell King Date: Mon, 26 Jul 2010 12:18:16 +0100 Subject: ARM: Fix csum_partial_copy_from_user() Using the parent functions frame pointer to access our arguments is completely wrong, whether or not we're building with frame pointers or not. What we should be using is the stack pointer to get at the word above the registers we stacked ourselves. Reported-by: Bosko Radivojevic Tested-by: Bosko Radivojevic Signed-off-by: Russell King --- arch/arm/lib/csumpartialcopyuser.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'arch') diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S index 59ff6fdc1e63..7d08b43d2c0e 100644 --- a/arch/arm/lib/csumpartialcopyuser.S +++ b/arch/arm/lib/csumpartialcopyuser.S @@ -71,7 +71,7 @@ .pushsection .fixup,"ax" .align 4 9001: mov r4, #-EFAULT - ldr r5, [fp, #4] @ *err_ptr + ldr r5, [sp, #8*4] @ *err_ptr str r4, [r5] ldmia sp, {r1, r2} @ retrieve dst, len add r2, r2, r1 -- cgit v1.2.1 From f1b957d3a06826f4a30fd4440e54a6b87c2e6173 Mon Sep 17 00:00:00 2001 From: Magnus Damm Date: Wed, 28 Jul 2010 05:46:21 +0100 Subject: ARM: 6270/1: clean files in arch/arm/boot/compressed/ Update the compressed boot Makefile for ARM to remove files during clean. Signed-off-by: Magnus Damm Signed-off-by: Russell King --- arch/arm/boot/compressed/Makefile | 3 +++ 1 file changed, 3 insertions(+) (limited to 'arch') diff --git a/arch/arm/boot/compressed/Makefile b/arch/arm/boot/compressed/Makefile index 53faa9063a03..864a002137fe 100644 --- a/arch/arm/boot/compressed/Makefile +++ b/arch/arm/boot/compressed/Makefile @@ -71,6 +71,9 @@ targets := vmlinux vmlinux.lds \ piggy.$(suffix_y) piggy.$(suffix_y).o \ font.o font.c head.o misc.o $(OBJS) +# Make sure files are removed during clean +extra-y += piggy.gzip piggy.lzo piggy.lzma lib1funcs.S + ifeq ($(CONFIG_FUNCTION_TRACER),y) ORIG_CFLAGS := $(KBUILD_CFLAGS) KBUILD_CFLAGS = $(subst -pg, , $(ORIG_CFLAGS)) -- cgit v1.2.1 From 661f10f6b6ce55c737e88c4803453eba4ba3a61c Mon Sep 17 00:00:00 2001 From: Rabin Vincent Date: Thu, 29 Jul 2010 12:13:18 +0100 Subject: ARM: 6275/1: ux500: don't use writeb() in uncompress.h Don't use writeb() in uncompress.h, to avoid the following build errors when the "Add barriers to the I/O accessors" series is applied. Use __raw_writeb() instead. arch/arm/boot/compressed/misc.o: In function `putc': arch/arm/mach-ux500/include/mach/uncompress.h:41: undefined reference to `outer_cache' Acked-by: Linus Walleij Signed-off-by: Rabin Vincent Signed-off-by: Russell King --- arch/arm/mach-ux500/include/mach/uncompress.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'arch') diff --git a/arch/arm/mach-ux500/include/mach/uncompress.h b/arch/arm/mach-ux500/include/mach/uncompress.h index 8552eb188b50..0271ca0a83df 100644 --- a/arch/arm/mach-ux500/include/mach/uncompress.h +++ b/arch/arm/mach-ux500/include/mach/uncompress.h @@ -30,22 +30,22 @@ static void putc(const char c) { /* Do nothing if the UART is not enabled. */ - if (!(readb(U8500_UART_CR) & 0x1)) + if (!(__raw_readb(U8500_UART_CR) & 0x1)) return; if (c == '\n') putc('\r'); - while (readb(U8500_UART_FR) & (1 << 5)) + while (__raw_readb(U8500_UART_FR) & (1 << 5)) barrier(); - writeb(c, U8500_UART_DR); + __raw_writeb(c, U8500_UART_DR); } static void flush(void) { - if (!(readb(U8500_UART_CR) & 0x1)) + if (!(__raw_readb(U8500_UART_CR) & 0x1)) return; - while (readb(U8500_UART_FR) & (1 << 3)) + while (__raw_readb(U8500_UART_FR) & (1 << 3)) barrier(); } -- cgit v1.2.1 From e936771a76a7b61ca55a5142a3de835c2e196871 Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 28 Jul 2010 22:00:54 +0100 Subject: ARM: 6271/1: Introduce *_relaxed() I/O accessors This patch introduces readl*_relaxed()/write*_relaxed() as the main I/O accessors (when __mem_pci is defined). The standard read*()/write*() macros are now based on the relaxed accessors. This patch is in preparation for a subsequent patch which adds barriers to the I/O accessors. Signed-off-by: Catalin Marinas Signed-off-by: Russell King --- arch/arm/include/asm/io.h | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'arch') diff --git a/arch/arm/include/asm/io.h b/arch/arm/include/asm/io.h index c980156f3263..9db072df2b3d 100644 --- a/arch/arm/include/asm/io.h +++ b/arch/arm/include/asm/io.h @@ -179,25 +179,30 @@ extern void _memset_io(volatile void __iomem *, int, size_t); * IO port primitives for more information. */ #ifdef __mem_pci -#define readb(c) ({ __u8 __v = __raw_readb(__mem_pci(c)); __v; }) -#define readw(c) ({ __u16 __v = le16_to_cpu((__force __le16) \ +#define readb_relaxed(c) ({ u8 __v = __raw_readb(__mem_pci(c)); __v; }) +#define readw_relaxed(c) ({ u16 __v = le16_to_cpu((__force __le16) \ __raw_readw(__mem_pci(c))); __v; }) -#define readl(c) ({ __u32 __v = le32_to_cpu((__force __le32) \ +#define readl_relaxed(c) ({ u32 __v = le32_to_cpu((__force __le32) \ __raw_readl(__mem_pci(c))); __v; }) -#define readb_relaxed(addr) readb(addr) -#define readw_relaxed(addr) readw(addr) -#define readl_relaxed(addr) readl(addr) + +#define writeb_relaxed(v,c) ((void)__raw_writeb(v,__mem_pci(c))) +#define writew_relaxed(v,c) ((void)__raw_writew((__force u16) \ + cpu_to_le16(v),__mem_pci(c))) +#define writel_relaxed(v,c) ((void)__raw_writel((__force u32) \ + cpu_to_le32(v),__mem_pci(c))) + +#define readb(c) readb_relaxed(c) +#define readw(c) readw_relaxed(c) +#define readl(c) readl_relaxed(c) + +#define writeb(v,c) writeb_relaxed(v,c) +#define writew(v,c) writew_relaxed(v,c) +#define writel(v,c) writel_relaxed(v,c) #define readsb(p,d,l) __raw_readsb(__mem_pci(p),d,l) #define readsw(p,d,l) __raw_readsw(__mem_pci(p),d,l) #define readsl(p,d,l) __raw_readsl(__mem_pci(p),d,l) -#define writeb(v,c) __raw_writeb(v,__mem_pci(c)) -#define writew(v,c) __raw_writew((__force __u16) \ - cpu_to_le16(v),__mem_pci(c)) -#define writel(v,c) __raw_writel((__force __u32) \ - cpu_to_le32(v),__mem_pci(c)) - #define writesb(p,d,l) __raw_writesb(__mem_pci(p),d,l) #define writesw(p,d,l) __raw_writesw(__mem_pci(p),d,l) #define writesl(p,d,l) __raw_writesl(__mem_pci(p),d,l) -- cgit v1.2.1 From 6775a558fece413376e1dacd435adb5fbe225f40 Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 28 Jul 2010 22:01:25 +0100 Subject: ARM: 6272/1: Convert L2x0 to use the IO relaxed operations This patch is in preparation for a subsequent patch which adds barriers to the I/O accessors. Since the mandatory barriers may do an L2 cache sync, this patch avoids a recursive call into l2x0_cache_sync() via the write*() accessors and wmb() and a call into l2x0_cache_sync() with the l2x0_lock held. Signed-off-by: Catalin Marinas Signed-off-by: Russell King --- arch/arm/mm/cache-l2x0.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) (limited to 'arch') diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c index df4955885b21..9982eb385c0f 100644 --- a/arch/arm/mm/cache-l2x0.c +++ b/arch/arm/mm/cache-l2x0.c @@ -32,14 +32,14 @@ static uint32_t l2x0_way_mask; /* Bitmask of active ways */ static inline void cache_wait(void __iomem *reg, unsigned long mask) { /* wait for the operation to complete */ - while (readl(reg) & mask) + while (readl_relaxed(reg) & mask) ; } static inline void cache_sync(void) { void __iomem *base = l2x0_base; - writel(0, base + L2X0_CACHE_SYNC); + writel_relaxed(0, base + L2X0_CACHE_SYNC); cache_wait(base + L2X0_CACHE_SYNC, 1); } @@ -47,14 +47,14 @@ static inline void l2x0_clean_line(unsigned long addr) { void __iomem *base = l2x0_base; cache_wait(base + L2X0_CLEAN_LINE_PA, 1); - writel(addr, base + L2X0_CLEAN_LINE_PA); + writel_relaxed(addr, base + L2X0_CLEAN_LINE_PA); } static inline void l2x0_inv_line(unsigned long addr) { void __iomem *base = l2x0_base; cache_wait(base + L2X0_INV_LINE_PA, 1); - writel(addr, base + L2X0_INV_LINE_PA); + writel_relaxed(addr, base + L2X0_INV_LINE_PA); } #ifdef CONFIG_PL310_ERRATA_588369 @@ -75,9 +75,9 @@ static inline void l2x0_flush_line(unsigned long addr) /* Clean by PA followed by Invalidate by PA */ cache_wait(base + L2X0_CLEAN_LINE_PA, 1); - writel(addr, base + L2X0_CLEAN_LINE_PA); + writel_relaxed(addr, base + L2X0_CLEAN_LINE_PA); cache_wait(base + L2X0_INV_LINE_PA, 1); - writel(addr, base + L2X0_INV_LINE_PA); + writel_relaxed(addr, base + L2X0_INV_LINE_PA); } #else @@ -90,7 +90,7 @@ static inline void l2x0_flush_line(unsigned long addr) { void __iomem *base = l2x0_base; cache_wait(base + L2X0_CLEAN_INV_LINE_PA, 1); - writel(addr, base + L2X0_CLEAN_INV_LINE_PA); + writel_relaxed(addr, base + L2X0_CLEAN_INV_LINE_PA); } #endif @@ -109,7 +109,7 @@ static inline void l2x0_inv_all(void) /* invalidate all ways */ spin_lock_irqsave(&l2x0_lock, flags); - writel(l2x0_way_mask, l2x0_base + L2X0_INV_WAY); + writel_relaxed(l2x0_way_mask, l2x0_base + L2X0_INV_WAY); cache_wait(l2x0_base + L2X0_INV_WAY, l2x0_way_mask); cache_sync(); spin_unlock_irqrestore(&l2x0_lock, flags); @@ -215,8 +215,8 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) l2x0_base = base; - cache_id = readl(l2x0_base + L2X0_CACHE_ID); - aux = readl(l2x0_base + L2X0_AUX_CTRL); + cache_id = readl_relaxed(l2x0_base + L2X0_CACHE_ID); + aux = readl_relaxed(l2x0_base + L2X0_AUX_CTRL); aux &= aux_mask; aux |= aux_val; @@ -248,15 +248,15 @@ void __init l2x0_init(void __iomem *base, __u32 aux_val, __u32 aux_mask) * If you are booting from non-secure mode * accessing the below registers will fault. */ - if (!(readl(l2x0_base + L2X0_CTRL) & 1)) { + if (!(readl_relaxed(l2x0_base + L2X0_CTRL) & 1)) { /* l2x0 controller is disabled */ - writel(aux, l2x0_base + L2X0_AUX_CTRL); + writel_relaxed(aux, l2x0_base + L2X0_AUX_CTRL); l2x0_inv_all(); /* enable L2X0 */ - writel(1, l2x0_base + L2X0_CTRL); + writel_relaxed(1, l2x0_base + L2X0_CTRL); } outer_cache.inv_range = l2x0_inv_range; -- cgit v1.2.1 From 79f64dbf68c8a9779a7e9a25e0a9f0217a25b57a Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 28 Jul 2010 22:01:55 +0100 Subject: ARM: 6273/1: Add barriers to the I/O accessors if ARM_DMA_MEM_BUFFERABLE When the coherent DMA buffers are mapped as Normal Non-cacheable (ARM_DMA_MEM_BUFFERABLE enabled), buffer accesses are no longer ordered with Device memory accesses causing failures in device drivers that do not use the mandatory memory barriers before starting a DMA transfer. LKML discussions led to the conclusion that such barriers have to be added to the I/O accessors: http://thread.gmane.org/gmane.linux.kernel/683509/focus=686153 http://thread.gmane.org/gmane.linux.ide/46414 http://thread.gmane.org/gmane.linux.kernel.cross-arch/5250 This patch introduces a wmb() barrier to the write*() I/O accessors to handle the situations where Normal Non-cacheable writes are still in the processor (or L2 cache controller) write buffer before a DMA transfer command is issued. For the read*() accessors, a rmb() is introduced after the I/O to avoid speculative loads where the driver polls for a DMA transfer ready bit. Signed-off-by: Catalin Marinas Signed-off-by: Russell King --- arch/arm/include/asm/io.h | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'arch') diff --git a/arch/arm/include/asm/io.h b/arch/arm/include/asm/io.h index 9db072df2b3d..3c91e7c80c29 100644 --- a/arch/arm/include/asm/io.h +++ b/arch/arm/include/asm/io.h @@ -26,6 +26,7 @@ #include #include #include +#include /* * ISA I/O bus memory addresses are 1:1 with the physical address. @@ -191,6 +192,15 @@ extern void _memset_io(volatile void __iomem *, int, size_t); #define writel_relaxed(v,c) ((void)__raw_writel((__force u32) \ cpu_to_le32(v),__mem_pci(c))) +#ifdef CONFIG_ARM_DMA_MEM_BUFFERABLE +#define readb(c) ({ u8 __v = readb_relaxed(c); rmb(); __v; }) +#define readw(c) ({ u16 __v = readw_relaxed(c); rmb(); __v; }) +#define readl(c) ({ u32 __v = readl_relaxed(c); rmb(); __v; }) + +#define writeb(v,c) ({ wmb(); writeb_relaxed(v,c); }) +#define writew(v,c) ({ wmb(); writew_relaxed(v,c); }) +#define writel(v,c) ({ wmb(); writel_relaxed(v,c); }) +#else #define readb(c) readb_relaxed(c) #define readw(c) readw_relaxed(c) #define readl(c) readl_relaxed(c) @@ -198,6 +208,7 @@ extern void _memset_io(volatile void __iomem *, int, size_t); #define writeb(v,c) writeb_relaxed(v,c) #define writew(v,c) writew_relaxed(v,c) #define writel(v,c) writel_relaxed(v,c) +#endif #define readsb(p,d,l) __raw_readsb(__mem_pci(p),d,l) #define readsw(p,d,l) __raw_readsw(__mem_pci(p),d,l) -- cgit v1.2.1 From b92b3612134faff171981fad4f0adb33f485e02e Mon Sep 17 00:00:00 2001 From: Russell King Date: Thu, 29 Jul 2010 11:38:05 +0100 Subject: ARM: Add barriers to io{read,write}{8,16,32} accessors as well The ioread/iowrite accessors also need barriers as they're used in place of readl/writel et.al. in portable drivers. Create __iormb() and __iowmb() which are conditionally defined to be barriers dependent on ARM_DMA_MEM_BUFFERABLE, and always use these macros in the accessors. Signed-off-by: Russell King --- arch/arm/include/asm/io.h | 38 ++++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 20 deletions(-) (limited to 'arch') diff --git a/arch/arm/include/asm/io.h b/arch/arm/include/asm/io.h index 3c91e7c80c29..1261b1f928d9 100644 --- a/arch/arm/include/asm/io.h +++ b/arch/arm/include/asm/io.h @@ -193,23 +193,21 @@ extern void _memset_io(volatile void __iomem *, int, size_t); cpu_to_le32(v),__mem_pci(c))) #ifdef CONFIG_ARM_DMA_MEM_BUFFERABLE -#define readb(c) ({ u8 __v = readb_relaxed(c); rmb(); __v; }) -#define readw(c) ({ u16 __v = readw_relaxed(c); rmb(); __v; }) -#define readl(c) ({ u32 __v = readl_relaxed(c); rmb(); __v; }) - -#define writeb(v,c) ({ wmb(); writeb_relaxed(v,c); }) -#define writew(v,c) ({ wmb(); writew_relaxed(v,c); }) -#define writel(v,c) ({ wmb(); writel_relaxed(v,c); }) +#define __iormb() rmb() +#define __iowmb() wmb() #else -#define readb(c) readb_relaxed(c) -#define readw(c) readw_relaxed(c) -#define readl(c) readl_relaxed(c) - -#define writeb(v,c) writeb_relaxed(v,c) -#define writew(v,c) writew_relaxed(v,c) -#define writel(v,c) writel_relaxed(v,c) +#define __iormb() do { } while (0) +#define __iowmb() do { } while (0) #endif +#define readb(c) ({ u8 __v = readb_relaxed(c); __iormb(); __v; }) +#define readw(c) ({ u16 __v = readw_relaxed(c); __iormb(); __v; }) +#define readl(c) ({ u32 __v = readl_relaxed(c); __iormb(); __v; }) + +#define writeb(v,c) ({ __iowmb(); writeb_relaxed(v,c); }) +#define writew(v,c) ({ __iowmb(); writew_relaxed(v,c); }) +#define writel(v,c) ({ __iowmb(); writel_relaxed(v,c); }) + #define readsb(p,d,l) __raw_readsb(__mem_pci(p),d,l) #define readsw(p,d,l) __raw_readsw(__mem_pci(p),d,l) #define readsl(p,d,l) __raw_readsl(__mem_pci(p),d,l) @@ -260,13 +258,13 @@ extern void _memset_io(volatile void __iomem *, int, size_t); * io{read,write}{8,16,32} macros */ #ifndef ioread8 -#define ioread8(p) ({ unsigned int __v = __raw_readb(p); __v; }) -#define ioread16(p) ({ unsigned int __v = le16_to_cpu((__force __le16)__raw_readw(p)); __v; }) -#define ioread32(p) ({ unsigned int __v = le32_to_cpu((__force __le32)__raw_readl(p)); __v; }) +#define ioread8(p) ({ unsigned int __v = __raw_readb(p); __iormb(); __v; }) +#define ioread16(p) ({ unsigned int __v = le16_to_cpu((__force __le16)__raw_readw(p)); __iormb(); __v; }) +#define ioread32(p) ({ unsigned int __v = le32_to_cpu((__force __le32)__raw_readl(p)); __iormb(); __v; }) -#define iowrite8(v,p) __raw_writeb(v, p) -#define iowrite16(v,p) __raw_writew((__force __u16)cpu_to_le16(v), p) -#define iowrite32(v,p) __raw_writel((__force __u32)cpu_to_le32(v), p) +#define iowrite8(v,p) ({ __iowmb(); (void)__raw_writeb(v, p); }) +#define iowrite16(v,p) ({ __iowmb(); (void)__raw_writew((__force __u16)cpu_to_le16(v), p); }) +#define iowrite32(v,p) ({ __iowmb(); (void)__raw_writel((__force __u32)cpu_to_le32(v), p); }) #define ioread8_rep(p,d,c) __raw_readsb(p,d,c) #define ioread16_rep(p,d,c) __raw_readsw(p,d,c) -- cgit v1.2.1 From 831e8047eb2af310184a9d4d9e749f3de119ae39 Mon Sep 17 00:00:00 2001 From: Gary King Date: Thu, 29 Jul 2010 17:37:20 +0100 Subject: ARM: 6279/1: highmem: fix SMP preemption bug in kmap_high_l1_vipt smp_processor_id() must not be called from a preemptible context (this is checked by CONFIG_DEBUG_PREEMPT). kmap_high_l1_vipt() was doing so. This lead to a problem where the wrong per_cpu kmap_high_l1_vipt_depth could be incremented, causing a BUG_ON(*depth <= 0); in kunmap_high_l1_vipt(). The solution is to move the call to smp_processor_id() after the call to preempt_disable(). Originally by: Andrew Howe Signed-off-by: Gary King Acked-by: Nicolas Pitre Signed-off-by: Russell King --- arch/arm/mm/highmem.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) (limited to 'arch') diff --git a/arch/arm/mm/highmem.c b/arch/arm/mm/highmem.c index 086816b205b8..6ab244062b4a 100644 --- a/arch/arm/mm/highmem.c +++ b/arch/arm/mm/highmem.c @@ -163,19 +163,22 @@ static DEFINE_PER_CPU(int, kmap_high_l1_vipt_depth); void *kmap_high_l1_vipt(struct page *page, pte_t *saved_pte) { - unsigned int idx, cpu = smp_processor_id(); - int *depth = &per_cpu(kmap_high_l1_vipt_depth, cpu); + unsigned int idx, cpu; + int *depth; unsigned long vaddr, flags; pte_t pte, *ptep; + if (!in_interrupt()) + preempt_disable(); + + cpu = smp_processor_id(); + depth = &per_cpu(kmap_high_l1_vipt_depth, cpu); + idx = KM_L1_CACHE + KM_TYPE_NR * cpu; vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx); ptep = TOP_PTE(vaddr); pte = mk_pte(page, kmap_prot); - if (!in_interrupt()) - preempt_disable(); - raw_local_irq_save(flags); (*depth)++; if (pte_val(*ptep) == pte_val(pte)) { -- cgit v1.2.1 From 74bc80931c8bc34d24545f992a35349ad548897c Mon Sep 17 00:00:00 2001 From: Russell King Date: Thu, 29 Jul 2010 15:58:59 +0100 Subject: ARM: Fix Versatile/Realview/VExpress MMC card detection sense The MMC card detection sense has become really confused with negations at various levels, leading to some platforms not detecting inserted cards. Fix this by converting everything to positive logic throughout, thereby getting rid of these negations. Signed-off-by: Russell King --- arch/arm/mach-realview/core.c | 2 +- arch/arm/mach-vexpress/v2m.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'arch') diff --git a/arch/arm/mach-realview/core.c b/arch/arm/mach-realview/core.c index 595be19f8ad5..02e9fdeb8faf 100644 --- a/arch/arm/mach-realview/core.c +++ b/arch/arm/mach-realview/core.c @@ -237,7 +237,7 @@ static unsigned int realview_mmc_status(struct device *dev) else mask = 2; - return !(readl(REALVIEW_SYSMCI) & mask); + return readl(REALVIEW_SYSMCI) & mask; } struct mmci_platform_data realview_mmc0_plat_data = { diff --git a/arch/arm/mach-vexpress/v2m.c b/arch/arm/mach-vexpress/v2m.c index d250711b8c7a..c84239761cb4 100644 --- a/arch/arm/mach-vexpress/v2m.c +++ b/arch/arm/mach-vexpress/v2m.c @@ -241,7 +241,7 @@ static struct platform_device v2m_flash_device = { static unsigned int v2m_mmci_status(struct device *dev) { - return !(readl(MMIO_P2V(V2M_SYS_MCI)) & (1 << 0)); + return readl(MMIO_P2V(V2M_SYS_MCI)) & (1 << 0); } static struct mmci_platform_data v2m_mmci_data = { -- cgit v1.2.1 From f2d2420bbf4bb125ea5f2e1573d4da6b668fc78a Mon Sep 17 00:00:00 2001 From: Julia Lawall Date: Fri, 30 Jul 2010 17:17:28 +0200 Subject: SA1111: Eliminate use after free __sa1111_remove always frees its argument, so the subsequent reference to sachip->saved_state represents a use after free. __sa1111_remove does not appear to use the saved_state field, so the patch simply frees it first. A simplified version of the semantic patch that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @@ expression E,E2; @@ __sa1111_remove(E) ... ( E = E2 | * E ) // Signed-off-by: Julia Lawall Signed-off-by: Russell King --- arch/arm/common/sa1111.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'arch') diff --git a/arch/arm/common/sa1111.c b/arch/arm/common/sa1111.c index 6f80665f477e..9eaf65f43642 100644 --- a/arch/arm/common/sa1111.c +++ b/arch/arm/common/sa1111.c @@ -1028,13 +1028,12 @@ static int sa1111_remove(struct platform_device *pdev) struct sa1111 *sachip = platform_get_drvdata(pdev); if (sachip) { - __sa1111_remove(sachip); - platform_set_drvdata(pdev, NULL); - #ifdef CONFIG_PM kfree(sachip->saved_state); sachip->saved_state = NULL; #endif + __sa1111_remove(sachip); + platform_set_drvdata(pdev, NULL); } return 0; -- cgit v1.2.1