NULL pointer de-reference error was observed when all the PCIe endpoint
functions (22 function in J721E) request a DMA channel. The issue was
specfically observed when using mem-to-mem copy.
Changes from v2:
1) Fix commit subject and commit log to mention bchan/rchan/tchan to NULL
suggested by Peter.
Changes from v1:
1) Split the patch for BCDMA and PKTDMA separately
2) Fixed the return value of udma_get_rflow() to 0.
3) Removed the fixes tag as the patches does not directly apply to the
commits.
v1 => https://lore.kernel.org/r/[email protected]
v2 => https://lore.kernel.org/r/[email protected]
Kishon Vijay Abraham I (2):
dmaengine: ti: k3-udma: Set bchan to NULL if a channel request fail
dmaengine: ti: k3-udma: Set rchan/tchan to NULL if a channel request
fail
drivers/dma/ti/k3-udma.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
--
2.17.1
udma_get_*() checks if rchan/tchan/rflow is already allocated by checking
if it has a NON NULL value. For the error cases, rchan/tchan/rflow will
have error value and udma_get_*() considers this as already allocated
(PASS) since the error values are NON NULL. This results in NULL pointer
dereference error while de-referencing rchan/tchan/rflow.
Reset the value of rchan/tchan/rflow to NULL if a channel request fails.
Signed-off-by: Kishon Vijay Abraham I <[email protected]>
---
drivers/dma/ti/k3-udma.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/ti/k3-udma.c b/drivers/dma/ti/k3-udma.c
index 14ae28830871..041d8e32d630 100644
--- a/drivers/dma/ti/k3-udma.c
+++ b/drivers/dma/ti/k3-udma.c
@@ -1380,6 +1380,7 @@ static int bcdma_get_bchan(struct udma_chan *uc)
static int udma_get_tchan(struct udma_chan *uc)
{
struct udma_dev *ud = uc->ud;
+ int ret;
if (uc->tchan) {
dev_dbg(ud->dev, "chan%d: already have tchan%d allocated\n",
@@ -1394,8 +1395,11 @@ static int udma_get_tchan(struct udma_chan *uc)
*/
uc->tchan = __udma_reserve_tchan(ud, uc->config.channel_tpl,
uc->config.mapped_channel_id);
- if (IS_ERR(uc->tchan))
- return PTR_ERR(uc->tchan);
+ if (IS_ERR(uc->tchan)) {
+ ret = PTR_ERR(uc->tchan);
+ uc->tchan = NULL;
+ return ret;
+ }
if (ud->tflow_cnt) {
int tflow_id;
@@ -1425,6 +1429,7 @@ static int udma_get_tchan(struct udma_chan *uc)
static int udma_get_rchan(struct udma_chan *uc)
{
struct udma_dev *ud = uc->ud;
+ int ret;
if (uc->rchan) {
dev_dbg(ud->dev, "chan%d: already have rchan%d allocated\n",
@@ -1439,8 +1444,13 @@ static int udma_get_rchan(struct udma_chan *uc)
*/
uc->rchan = __udma_reserve_rchan(ud, uc->config.channel_tpl,
uc->config.mapped_channel_id);
+ if (IS_ERR(uc->rchan)) {
+ ret = PTR_ERR(uc->rchan);
+ uc->rchan = NULL;
+ return ret;
+ }
- return PTR_ERR_OR_ZERO(uc->rchan);
+ return 0;
}
static int udma_get_chan_pair(struct udma_chan *uc)
@@ -1494,6 +1504,7 @@ static int udma_get_chan_pair(struct udma_chan *uc)
static int udma_get_rflow(struct udma_chan *uc, int flow_id)
{
struct udma_dev *ud = uc->ud;
+ int ret;
if (!uc->rchan) {
dev_err(ud->dev, "chan%d: does not have rchan??\n", uc->id);
@@ -1507,8 +1518,13 @@ static int udma_get_rflow(struct udma_chan *uc, int flow_id)
}
uc->rflow = __udma_get_rflow(ud, flow_id);
+ if (IS_ERR(uc->rflow)) {
+ ret = PTR_ERR(uc->rflow);
+ uc->rflow = NULL;
+ return ret;
+ }
- return PTR_ERR_OR_ZERO(uc->rflow);
+ return 0;
}
static void bcdma_put_bchan(struct udma_chan *uc)
--
2.17.1
Hi Kishon,
On 29/10/2021 18:12, Kishon Vijay Abraham I wrote:
> NULL pointer de-reference error was observed when all the PCIe endpoint
> functions (22 function in J721E) request a DMA channel. The issue was
> specfically observed when using mem-to-mem copy.
>
> Changes from v2:
> 1) Fix commit subject and commit log to mention bchan/rchan/tchan to NULL
> suggested by Peter.
Looks good, however the second patch also fixes the rflow. It is
mentioned in the commit message itself.
I suppose the reason for a split is that the UDMA part
(rchan/tchan/rflow) could be backported as fix for older kernel since
the bchan came later with BCDMA/PKTDMA support?
Can you find a good Fixes tag for these?
>
> Changes from v1:
> 1) Split the patch for BCDMA and PKTDMA separately
> 2) Fixed the return value of udma_get_rflow() to 0.
> 3) Removed the fixes tag as the patches does not directly apply to the
> commits.
>
> v1 => https://lore.kernel.org/r/[email protected]
> v2 => https://lore.kernel.org/r/[email protected]
>
> Kishon Vijay Abraham I (2):
> dmaengine: ti: k3-udma: Set bchan to NULL if a channel request fail
> dmaengine: ti: k3-udma: Set rchan/tchan to NULL if a channel request
> fail
dmaengine: ti: k3-udma: Set r/tchan or rflow to NULL if request fail
would have bee a better subject line, if you feel you can send an update.
Acked-by: Peter Ujfalusi <[email protected]>
>
> drivers/dma/ti/k3-udma.c | 32 ++++++++++++++++++++++++++------
> 1 file changed, 26 insertions(+), 6 deletions(-)
>
--
Péter
Hi Peter,
On 30/10/21 12:15 pm, Péter Ujfalusi wrote:
> Hi Kishon,
>
> On 29/10/2021 18:12, Kishon Vijay Abraham I wrote:
>> NULL pointer de-reference error was observed when all the PCIe endpoint
>> functions (22 function in J721E) request a DMA channel. The issue was
>> specfically observed when using mem-to-mem copy.
>>
>> Changes from v2:
>> 1) Fix commit subject and commit log to mention bchan/rchan/tchan to NULL
>> suggested by Peter.
>
> Looks good, however the second patch also fixes the rflow. It is
> mentioned in the commit message itself.
>
> I suppose the reason for a split is that the UDMA part
> (rchan/tchan/rflow) could be backported as fix for older kernel since
> the bchan came later with BCDMA/PKTDMA support?
>
> Can you find a good Fixes tag for these?
I'll now add "Cc: <[email protected]>" so that it gets merged to 5.14. It
doesn't apply cleanly to any of the other stable kernel.
>
>>
>> Changes from v1:
>> 1) Split the patch for BCDMA and PKTDMA separately
>> 2) Fixed the return value of udma_get_rflow() to 0.
>> 3) Removed the fixes tag as the patches does not directly apply to the
>> commits.
>>
>> v1 => https://lore.kernel.org/r/[email protected]
>> v2 => https://lore.kernel.org/r/[email protected]
>>
>> Kishon Vijay Abraham I (2):
>> dmaengine: ti: k3-udma: Set bchan to NULL if a channel request fail
>> dmaengine: ti: k3-udma: Set rchan/tchan to NULL if a channel request
>> fail
>
> dmaengine: ti: k3-udma: Set r/tchan or rflow to NULL if request fail
>
> would have bee a better subject line, if you feel you can send an update.
>
> Acked-by: Peter Ujfalusi <[email protected]>
Thank You! Will fix and resend.
Best Regards,
Kishon