From: Adrian Larumbe <adrian.martinezlarumbe@imgtec.com>
To: <vkoul@kernel.org>, <dmaengine@vger.kernel.org>
Cc: <michal.simek@xilinx.com>, <linux-arm-kernel@lists.infradead.org>,
<adrian.martinezlarumbe@imgtec.com>
Subject: [PATCH 2/2] xilinx_dma: Fix read-after-free bug when terminating transfers
Date: Wed, 7 Jul 2021 00:43:38 +0100 [thread overview]
Message-ID: <20210706234338.7696-3-adrian.martinezlarumbe@imgtec.com> (raw)
In-Reply-To: <20210706234338.7696-1-adrian.martinezlarumbe@imgtec.com>
When user calls dmaengine_terminate_sync, the driver will clean up any
remaining descriptors for all the pending or active transfers that had
previously been submitted. However, this might happen whilst the tasklet is
invoking the DMA callback for the last finished transfer, so by the time it
returns and takes over the channel's spinlock, the list of completed
descriptors it was traversing is no longer valid. This leads to a
read-after-free situation.
Fix it by signalling whether a user-triggered termination has happened by
means of a boolean variable.
Signed-off-by: Adrian Larumbe <adrian.martinezlarumbe@imgtec.com>
---
drivers/dma/xilinx/xilinx_dma.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/dma/xilinx/xilinx_dma.c b/drivers/dma/xilinx/xilinx_dma.c
index 0e2bf75d42d3..8258e9fcc179 100644
--- a/drivers/dma/xilinx/xilinx_dma.c
+++ b/drivers/dma/xilinx/xilinx_dma.c
@@ -394,6 +394,7 @@ struct xilinx_dma_tx_descriptor {
* @genlock: Support genlock mode
* @err: Channel has errors
* @idle: Check for channel idle
+ * @terminating: Check for channel being synchronized by user
* @tasklet: Cleanup work after irq
* @config: Device configuration info
* @flush_on_fsync: Flush on Frame sync
@@ -431,6 +432,7 @@ struct xilinx_dma_chan {
bool genlock;
bool err;
bool idle;
+ bool terminating;
struct tasklet_struct tasklet;
struct xilinx_vdma_config config;
bool flush_on_fsync;
@@ -1049,6 +1051,13 @@ static void xilinx_dma_chan_desc_cleanup(struct xilinx_dma_chan *chan)
/* Run any dependencies, then free the descriptor */
dma_run_dependencies(&desc->async_tx);
xilinx_dma_free_tx_descriptor(chan, desc);
+
+ /*
+ * While we ran a callback the user called a terminate function,
+ * which takes care of cleaning up any remaining descriptors
+ */
+ if (chan->terminating)
+ break;
}
spin_unlock_irqrestore(&chan->lock, flags);
@@ -1965,6 +1974,8 @@ static dma_cookie_t xilinx_dma_tx_submit(struct dma_async_tx_descriptor *tx)
if (desc->cyclic)
chan->cyclic = true;
+ chan->terminating = false;
+
spin_unlock_irqrestore(&chan->lock, flags);
return cookie;
@@ -2556,6 +2567,7 @@ static int xilinx_dma_terminate_all(struct dma_chan *dchan)
xilinx_dma_chan_reset(chan);
/* Remove and free all of the descriptors in the lists */
+ chan->terminating = true;
xilinx_dma_free_descriptors(chan);
chan->idle = true;
--
2.17.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2021-07-06 23:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-06 23:43 [PATCH 0/2] Add support for MEMCPY_SG transfers Adrian Larumbe
2021-07-06 23:43 ` [PATCH 1/2] dmaengine: xilinx_dma: Restore support for memcpy SG transfers Adrian Larumbe
2021-07-14 4:58 ` Vinod Koul
2021-07-26 22:14 ` Adrian Larumbe
2021-07-29 4:19 ` Vinod Koul
2021-07-06 23:43 ` Adrian Larumbe [this message]
2021-07-14 5:10 ` [PATCH 2/2] xilinx_dma: Fix read-after-free bug when terminating transfers Vinod Koul
2021-11-01 18:08 ` [PATCH 0/3] Add support for MEMCPY_SG transfers Adrian Larumbe
2021-11-01 18:08 ` [PATCH 1/3] dmaengine: Add documentation for new memcpy scatter-gather function Adrian Larumbe
2021-11-01 18:08 ` [PATCH 2/3] dmaengine: Add core function and capability check for DMA_MEMCPY_SG Adrian Larumbe
2021-11-01 18:08 ` [PATCH 3/3] dmaengine: Add consumer for the new DMA_MEMCPY_SG API function Adrian Larumbe
2021-11-02 10:33 ` [PATCH 0/3] Add support for MEMCPY_SG transfers Michal Simek
2021-11-22 6:08 ` Vinod Koul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210706234338.7696-3-adrian.martinezlarumbe@imgtec.com \
--to=adrian.martinezlarumbe@imgtec.com \
--cc=dmaengine@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=michal.simek@xilinx.com \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox