Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp5650589ybl;
        Tue, 14 Jan 2020 12:35:25 -0800 (PST)
X-Google-Smtp-Source: APXvYqzi9dDIhj9u51GkgJ331Kdyfr1PTm1QAf91k2A0Vb+ZR1EVwKiBw96aCmLukutOjZdGUYHN
X-Received: by 2002:a54:4086:: with SMTP id i6mr18336767oii.65.1579034125339;
        Tue, 14 Jan 2020 12:35:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1579034125; cv=none;
        d=google.com; s=arc-20160816;
        b=jmwSiVUjZs4ppejC/vXIAP8lKbyyd7jiB1fqKbAEpAVy5t6ilz4gXI+YC8cz/kG3jv
         loUXcG9rPXnI4e0vrWT+mJ2dJ15Bjz5p4PPo2TLOA/T6Us5kJKiVUnKH1vUAXLiVnY/W
         r1A0V5g6EIJs2t3yUcJF6DxCUhP5gHFepj8Jh9JzIuGQnOypWtmz9S9S4JSwaShlh/oe
         25zSB2z/+BAghzZO2LZeT971d1gMTzSNraoVlSfOQ8wU0svQT5tCEuai/pZx6MRqZcf/
         6stdr0WwbITEa6AJeXQ3TNjjKH2KO5eVzAC7vyLbmj3hOE8hzLm/k338n5sxvFUfduda
         /fCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=sGJB+mL9w5RryZTl/aXG7CYZ8Jke0HmMH4InRACq8OQ=;
        b=B1qjZoA4UcJJaHICPoWOgYONmpDYZDTsmvwDIock1KQZyT1DSbbc4i19ZnMtrl+sG5
         qLx5Fv7H/mxZ1oDoYO9xcvvWGwyWAyTig+HtylnVY4PfV3pPOl9AhYB8rYeBmQ/bDdeT
         9za1MZrCsYCxEDyX3q8S9EuWQgYzq75cL5+89HL3gif+USrTLhZu4fz4wN0LOCOAyigi
         3FcdXngxXat5rXcTysJtH2zFYE8ObTzRMbO3Yne0PSy6iY586D3e4pi1NvjHieOh/V+1
         alO0wKPEFnX7vtxw696UcAhR9xyPvgY1XHCRvNCbf4fVhWdRgRVIfrScLAX5oI70pe5D
         QM9g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XpxHgutx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h28si10737619otg.63.2020.01.14.12.35.13;
        Tue, 14 Jan 2020 12:35:25 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XpxHgutx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728795AbgANUds (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Tue, 14 Jan 2020 15:33:48 -0500
Received: from mail-lj1-f196.google.com ([209.85.208.196]:39367 "EHLO
        mail-lj1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728986AbgANUdq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Jan 2020 15:33:46 -0500
Received: by mail-lj1-f196.google.com with SMTP id l2so15879167lja.6;
        Tue, 14 Jan 2020 12:33:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=sGJB+mL9w5RryZTl/aXG7CYZ8Jke0HmMH4InRACq8OQ=;
        b=XpxHgutxnXiuktU6MDY4Ii7ImEf4scE6uZSEYYDygjbXcQDXFlVMTZith8xL/5fOYj
         J/qGRYiHIWnrA+LQZ0GW7QyrXRe/yeYFaLlxx8T7LsIZIzSd4hgUx4z8rFfpehXTnXFI
         gOsy/UrOMmHNZiP0luLmRlNpXk5TUT9KSgRYsILL04W4jBPz7M5FrDGu96aurikEQ/H0
         axRxpFyl13G87BYb9bmWR0PditOQFBd5TzT15xpkwF5eelJv7dEN9fbmYghe4Ers0XSi
         kl+zTl59Uy4P/mBP/NrzS6wHFgLQO6mHcST70SxFlsAWf4kvrr7xGOxejP4ymUyLJm+m
         /eeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=sGJB+mL9w5RryZTl/aXG7CYZ8Jke0HmMH4InRACq8OQ=;
        b=NDcrK2yu+MT1jkUpiC8vIAGOERqjOso8p7ilO5/HCTN6jlkFW9EDEpUfO3h3Akr/vp
         UIecQlXQtwRRi1eGscT1T0ZE4lsa62gTKWtWklZLc9p9KTTK1ifiH+faMg5lin8Ewiiv
         2TbbhJdgqtInzyE3riVsUmIpgpKEnlL8062qeQtNCbM0mI1S02NO/0zv+83I2E2Mms5O
         71QMJct+j4GXhODXRhxNfYgWLySIqep70+zCaMmdKm4qLzkuXnVNKRWnrEBWT2KakjSJ
         KxdIjn1dw+IEx31ghnYZyLHZkiVQYbEEelBvcCob+qztdxBLmqsuZT3EhJjtaB0WPYAy
         FhoQ==
X-Gm-Message-State: APjAAAVOiUVpyA9zhq3nT6GNNbskz9RTpO/AIcWRx3fSorWRgca8J0SF
        25geZwzp9K0VSGx36U/j0KXfpjW5
X-Received: by 2002:a2e:b61a:: with SMTP id r26mr15831520ljn.72.1579034022766;
        Tue, 14 Jan 2020 12:33:42 -0800 (PST)
Received: from [192.168.2.145] (79-139-233-37.dynamic.spd-mgts.ru. [79.139.233.37])
        by smtp.googlemail.com with ESMTPSA id b1sm9278272ljp.72.2020.01.14.12.33.41
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 14 Jan 2020 12:33:41 -0800 (PST)
Subject: Re: [PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free
To:     Jon Hunter <jonathanh@nvidia.com>,
        Laxman Dewangan <ldewangan@nvidia.com>,
        Vinod Koul <vkoul@kernel.org>,
        Dan Williams <dan.j.williams@intel.com>,
        Thierry Reding <thierry.reding@gmail.com>,
        =?UTF-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= <mirq-linux@rere.qmqm.pl>
Cc:     dmaengine@vger.kernel.org, linux-tegra@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20200112173006.29863-1-digetx@gmail.com>
 <20200112173006.29863-2-digetx@gmail.com>
 <4c1b9e48-5468-0c03-2108-158ee814eea8@nvidia.com>
From:   Dmitry Osipenko <digetx@gmail.com>
Message-ID: <1327bb21-0364-da26-e6ed-ff6c19df03e6@gmail.com>
Date:   Tue, 14 Jan 2020 23:33:40 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.3.0
MIME-Version: 1.0
In-Reply-To: <4c1b9e48-5468-0c03-2108-158ee814eea8@nvidia.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

14.01.2020 18:09, Jon Hunter пишет:
> 
> On 12/01/2020 17:29, Dmitry Osipenko wrote:
>> I was doing some experiments with I2C and noticed that Tegra APB DMA
>> driver crashes sometime after I2C DMA transfer termination. The crash
>> happens because tegra_dma_terminate_all() bails out immediately if pending
>> list is empty, thus it doesn't release the half-completed descriptors
>> which are getting re-used before ISR tasklet kicks-in.
> 
> Can you elaborate a bit more on how these are getting re-used? What is
> the sequence of events which results in the panic? I believe that this
> was also reported in the past [0] and so I don't doubt there is an issue
> here, but would like to completely understand this.
> 
> Thanks!
> Jon
> 
> [0] https://lore.kernel.org/patchwork/patch/675349/
> 

In my case it happens in the touchscreen driver during of the
touchscreen's interrupt handling (in a threaded IRQ handler) + CPU is
under load and there is other interrupts activity. So what happens here
is that the TS driver issues one I2C transfer, which fails with
(apparently bogus) timeout (because DMA descriptor is completed and
removed from the pending list, but tasklet not executed yet), and then
TS immediately issues another I2C transfer that re-uses the
yet-incompleted descriptor. That's my understanding.