From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Andre Renaud" <arenaud@designa-electronics.com>,
"Uwe Kleine-König" <u.kleine-koenig@pengutronix.de>
Subject: [PATCH 5.5 18/56] serial: imx: fix a race condition in receive path
Date: Thu, 30 Jan 2020 19:38:35 +0100 [thread overview]
Message-ID: <20200130183612.561249887@linuxfoundation.org> (raw)
In-Reply-To: <20200130183608.849023566@linuxfoundation.org>
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
commit 101aa46bd221b768dfff8ef3745173fc8dbb85ee upstream.
The main irq handler function starts by first masking disabled
interrupts in the status register values to ensure to only handle
enabled interrupts. This is important as when the RX path in the
hardware is disabled reading the RX fifo results in an external abort.
This checking must be done under the port lock, otherwise the following
can happen:
CPU1 | CPU2
|
irq triggers as there are chars |
in the RX fifo |
| grab port lock
imx_uart_int finds RRDY enabled |
and calls imx_uart_rxint which |
has to wait for port lock |
| disable RX (e.g. because we're
| using RS485 with !RX_DURING_TX)
|
| release port lock
read from RX fifo with RX |
disabled => exception |
So take the port lock only once in imx_uart_int() instead of in the
functions called from there.
Reported-by: Andre Renaud <arenaud@designa-electronics.com>
Cc: stable@vger.kernel.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Link: https://lore.kernel.org/r/20200121071702.20150-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/imx.c | 51 +++++++++++++++++++++++++++++++++++------------
1 file changed, 38 insertions(+), 13 deletions(-)
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -700,22 +700,33 @@ static void imx_uart_start_tx(struct uar
}
}
-static irqreturn_t imx_uart_rtsint(int irq, void *dev_id)
+static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id)
{
struct imx_port *sport = dev_id;
u32 usr1;
- spin_lock(&sport->port.lock);
-
imx_uart_writel(sport, USR1_RTSD, USR1);
usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS;
uart_handle_cts_change(&sport->port, !!usr1);
wake_up_interruptible(&sport->port.state->port.delta_msr_wait);
- spin_unlock(&sport->port.lock);
return IRQ_HANDLED;
}
+static irqreturn_t imx_uart_rtsint(int irq, void *dev_id)
+{
+ struct imx_port *sport = dev_id;
+ irqreturn_t ret;
+
+ spin_lock(&sport->port.lock);
+
+ ret = __imx_uart_rtsint(irq, dev_id);
+
+ spin_unlock(&sport->port.lock);
+
+ return ret;
+}
+
static irqreturn_t imx_uart_txint(int irq, void *dev_id)
{
struct imx_port *sport = dev_id;
@@ -726,14 +737,12 @@ static irqreturn_t imx_uart_txint(int ir
return IRQ_HANDLED;
}
-static irqreturn_t imx_uart_rxint(int irq, void *dev_id)
+static irqreturn_t __imx_uart_rxint(int irq, void *dev_id)
{
struct imx_port *sport = dev_id;
unsigned int rx, flg, ignored = 0;
struct tty_port *port = &sport->port.state->port;
- spin_lock(&sport->port.lock);
-
while (imx_uart_readl(sport, USR2) & USR2_RDR) {
u32 usr2;
@@ -792,11 +801,25 @@ static irqreturn_t imx_uart_rxint(int ir
}
out:
- spin_unlock(&sport->port.lock);
tty_flip_buffer_push(port);
+
return IRQ_HANDLED;
}
+static irqreturn_t imx_uart_rxint(int irq, void *dev_id)
+{
+ struct imx_port *sport = dev_id;
+ irqreturn_t ret;
+
+ spin_lock(&sport->port.lock);
+
+ ret = __imx_uart_rxint(irq, dev_id);
+
+ spin_unlock(&sport->port.lock);
+
+ return ret;
+}
+
static void imx_uart_clear_rx_errors(struct imx_port *sport);
/*
@@ -855,6 +878,8 @@ static irqreturn_t imx_uart_int(int irq,
unsigned int usr1, usr2, ucr1, ucr2, ucr3, ucr4;
irqreturn_t ret = IRQ_NONE;
+ spin_lock(&sport->port.lock);
+
usr1 = imx_uart_readl(sport, USR1);
usr2 = imx_uart_readl(sport, USR2);
ucr1 = imx_uart_readl(sport, UCR1);
@@ -888,27 +913,25 @@ static irqreturn_t imx_uart_int(int irq,
usr2 &= ~USR2_ORE;
if (usr1 & (USR1_RRDY | USR1_AGTIM)) {
- imx_uart_rxint(irq, dev_id);
+ __imx_uart_rxint(irq, dev_id);
ret = IRQ_HANDLED;
}
if ((usr1 & USR1_TRDY) || (usr2 & USR2_TXDC)) {
- imx_uart_txint(irq, dev_id);
+ imx_uart_transmit_buffer(sport);
ret = IRQ_HANDLED;
}
if (usr1 & USR1_DTRD) {
imx_uart_writel(sport, USR1_DTRD, USR1);
- spin_lock(&sport->port.lock);
imx_uart_mctrl_check(sport);
- spin_unlock(&sport->port.lock);
ret = IRQ_HANDLED;
}
if (usr1 & USR1_RTSD) {
- imx_uart_rtsint(irq, dev_id);
+ __imx_uart_rtsint(irq, dev_id);
ret = IRQ_HANDLED;
}
@@ -923,6 +946,8 @@ static irqreturn_t imx_uart_int(int irq,
ret = IRQ_HANDLED;
}
+ spin_unlock(&sport->port.lock);
+
return ret;
}
next prev parent reply other threads:[~2020-01-30 18:54 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 18:38 [PATCH 5.5 00/56] 5.5.1-stable review Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 01/56] Bluetooth: btusb: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 02/56] orinoco_usb: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 03/56] rsi_91x_usb: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 04/56] usb: dwc3: pci: add ID for the Intel Comet Lake -V variant Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 05/56] usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 06/56] USB: serial: ir-usb: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 07/56] USB: serial: ir-usb: fix link-speed handling Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 08/56] USB: serial: ir-usb: fix IrLAP framing Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 09/56] usb: dwc3: turn off VBUS when leaving host mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 10/56] usb: typec: wcove: fix "op-sink-microwatt" default that was in mW Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 11/56] usb: typec: fusb302: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 12/56] staging: most: net: fix buffer overflow Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 13/56] staging: wlan-ng: ensure error return is actually returned Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 14/56] staging: vt6656: correct packet types for CTS protect, mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 15/56] staging: vt6656: use NULLFUCTION stack on mac80211 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 16/56] staging: vt6656: Fix false Tx excessive retries reporting Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 17/56] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind Greg Kroah-Hartman
2020-01-30 18:38 ` Greg Kroah-Hartman [this message]
2020-01-30 18:38 ` [PATCH 5.5 19/56] debugfs: Return -EPERM when locked down Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 20/56] component: do not dereference opaque pointer in debugfs Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 21/56] binder: fix log spam for existing debugfs file creation Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 22/56] mei: hdcp: bind only with i915 on the same PCH Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 23/56] mei: me: add comet point (lake) H device ids Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 24/56] mei: me: add jasper point DID Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 25/56] iio: adc: stm32-dfsdm: fix single conversion Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 26/56] iio: st_gyro: Correct data for LSM9DS0 gyro Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 27/56] driver core: Fix test_async_driver_probe if NUMA is disabled Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 28/56] crypto: chelsio - fix writing tfm flags to wrong place Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 29/56] CIFS: Fix task struct use-after-free on reconnect Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 30/56] cifs: set correct max-buffer-size for smb2_ioctl_init() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 31/56] cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 32/56] ath9k: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 33/56] brcmfmac: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 34/56] rtl8xxxu: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 35/56] zd1211rw: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 36/56] mvneta driver disallow XDP program on hardware buffer management Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 37/56] net_sched: ematch: reject invalid TCF_EM_SIMPLE Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 38/56] net_sched: fix ops->bind_class() implementations Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 39/56] net_sched: walk through all child classes in tc_bind_tclass() Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 40/56] net: socionext: fix possible user-after-free in netsec_process_rx Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 41/56] net: socionext: fix xdp_result initialization " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 5.5 42/56] udp: segment looped gso packets correctly Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 43/56] mlxsw: minimal: Fix an error handling path in mlxsw_m_port_create() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 44/56] net: include struct nhmsg size in nh nlmsg size Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 45/56] rxrpc: Fix use-after-free in rxrpc_receive_data() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 46/56] rsi: fix use-after-free on failed probe and unbind Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 47/56] rsi: fix use-after-free on probe errors Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 48/56] rsi: fix memory leak on failed URB submission Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 49/56] rsi: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 50/56] crypto: af_alg - Use bh_lock_sock in sk_destruct Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 51/56] crypto: vmx - reject xts inputs that are too short Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 52/56] crypto: caam - do not reset pointer size from MCFGR register Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 53/56] crypto: pcrypt - Fix user-after-free on module unload Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 54/56] KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 55/56] Revert "um: Enable CONFIG_CONSTRUCTORS" Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 5.5 56/56] power/supply: ingenic-battery: Dont change scale if theres only one Greg Kroah-Hartman
2020-01-31 4:40 ` [PATCH 5.5 00/56] 5.5.1-stable review shuah
2020-01-31 6:06 ` Greg Kroah-Hartman
2020-01-31 11:04 ` Jon Hunter
2020-01-31 21:24 ` Greg Kroah-Hartman
2020-01-31 14:54 ` Naresh Kamboju
2020-01-31 21:26 ` Greg Kroah-Hartman
2020-01-31 17:32 ` Guenter Roeck
2020-01-31 21:25 ` Greg Kroah-Hartman
2020-01-31 22:33 ` Jeffrin Jose
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130183612.561249887@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arenaud@designa-electronics.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=u.kleine-koenig@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).