From: Dmitry Osipenko <digetx@gmail.com>
To: Laxman Dewangan <ldewangan@nvidia.com>,
Vinod Koul <vkoul@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Thierry Reding <thierry.reding@gmail.com>,
Jonathan Hunter <jonathanh@nvidia.com>
Cc: dmaengine@vger.kernel.org, linux-tegra@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 01/12] dmaengine: tegra-apb: Fix use-after-free
Date: Sun, 29 Dec 2019 17:55:14 +0300 [thread overview]
Message-ID: <20191229145525.533-2-digetx@gmail.com> (raw)
In-Reply-To: <20191229145525.533-1-digetx@gmail.com>
I was doing some experiments with I2C and noticed that Tegra APB DMA
driver crashes sometime after I2C DMA transfer termination. The crash
happens because tegra_dma_terminate_all() bails out immediately if pending
list is empty, thus it doesn't stop hardware and doesn't release the
half-completed descriptors which are getting re-used before ISR tasklet
kicks-in.
tegra-i2c 7000c400.i2c: DMA transfer timeout
elants_i2c 0-0010: elants_i2c_irq: failed to read data: -110
------------[ cut here ]------------
WARNING: CPU: 0 PID: 142 at lib/list_debug.c:45 __list_del_entry_valid+0x45/0xac
list_del corruption, ddbaac44->next is LIST_POISON1 (00000100)
Modules linked in:
CPU: 0 PID: 142 Comm: kworker/0:2 Not tainted 5.5.0-rc2-next-20191220-00175-gc3605715758d-dirty #538
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
Workqueue: events_freezable_power_ thermal_zone_device_check
[<c010e5c5>] (unwind_backtrace) from [<c010a1c5>] (show_stack+0x11/0x14)
[<c010a1c5>] (show_stack) from [<c0973925>] (dump_stack+0x85/0x94)
[<c0973925>] (dump_stack) from [<c011f529>] (__warn+0xc1/0xc4)
[<c011f529>] (__warn) from [<c011f7e9>] (warn_slowpath_fmt+0x61/0x78)
[<c011f7e9>] (warn_slowpath_fmt) from [<c042497d>] (__list_del_entry_valid+0x45/0xac)
[<c042497d>] (__list_del_entry_valid) from [<c047a87f>] (tegra_dma_tasklet+0x5b/0x154)
[<c047a87f>] (tegra_dma_tasklet) from [<c0124799>] (tasklet_action_common.constprop.0+0x41/0x7c)
[<c0124799>] (tasklet_action_common.constprop.0) from [<c01022ab>] (__do_softirq+0xd3/0x2a8)
[<c01022ab>] (__do_softirq) from [<c0124683>] (irq_exit+0x7b/0x98)
[<c0124683>] (irq_exit) from [<c0168c19>] (__handle_domain_irq+0x45/0x80)
[<c0168c19>] (__handle_domain_irq) from [<c043e429>] (gic_handle_irq+0x45/0x7c)
[<c043e429>] (gic_handle_irq) from [<c0101aa5>] (__irq_svc+0x65/0x94)
Exception stack(0xde2ebb90 to 0xde2ebbd8)
Cc: <stable@vger.kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
---
drivers/dma/tegra20-apb-dma.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
index 3a45079d11ec..319f31d27014 100644
--- a/drivers/dma/tegra20-apb-dma.c
+++ b/drivers/dma/tegra20-apb-dma.c
@@ -756,10 +756,6 @@ static int tegra_dma_terminate_all(struct dma_chan *dc)
bool was_busy;
spin_lock_irqsave(&tdc->lock, flags);
- if (list_empty(&tdc->pending_sg_req)) {
- spin_unlock_irqrestore(&tdc->lock, flags);
- return 0;
- }
if (!tdc->busy)
goto skip_dma_stop;
--
2.24.0
next prev parent reply other threads:[~2019-12-29 14:56 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-29 14:55 [PATCH v2 00/12] NVIDIA Tegra APB DMA driver fixes and improvements Dmitry Osipenko
2019-12-29 14:55 ` Dmitry Osipenko [this message]
2019-12-29 14:55 ` [PATCH v2 02/12] dmaengine: tegra-apb: Implement synchronization callback Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 03/12] dmaengine: tegra-apb: Prevent race conditions on channel's freeing Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 04/12] dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 05/12] dmaengine: tegra-apb: Use devm_platform_ioremap_resource Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 06/12] dmaengine: tegra-apb: Use devm_request_irq Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 07/12] dmaengine: tegra-apb: Fix coding style problems Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 08/12] dmaengine: tegra-apb: Remove runtime PM usage Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 09/12] dmaengine: tegra-apb: Clean up suspend-resume Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 10/12] dmaengine: tegra-apb: Add missing of_dma_controller_free Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 11/12] dmaengine: tegra-apb: Allow to compile as a loadable kernel module Dmitry Osipenko
2019-12-29 14:55 ` [PATCH v2 12/12] dmaengine: tegra-apb: Remove MODULE_ALIAS Dmitry Osipenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191229145525.533-2-digetx@gmail.com \
--to=digetx@gmail.com \
--cc=dan.j.williams@intel.com \
--cc=dmaengine@vger.kernel.org \
--cc=jonathanh@nvidia.com \
--cc=ldewangan@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-tegra@vger.kernel.org \
--cc=thierry.reding@gmail.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.