Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp6239658ybl; Wed, 15 Jan 2020 01:02:17 -0800 (PST) X-Google-Smtp-Source: APXvYqxyRNwd85j0vIxU0hJQ26mWHkr/zk+tGpYPx8cAYY8U62nkqNPyk3hy9fZEXVOUBU6EKQUq X-Received: by 2002:a9d:6a5a:: with SMTP id h26mr2068005otn.103.1579078934538; Wed, 15 Jan 2020 01:02:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579078934; cv=none; d=google.com; s=arc-20160816; b=J72Ds+eXp9VvxWyrGnUm+7T8yoTEfDZIk998tKHAzIjNblcnLxlgXDF8A9nlz05zU2 qdcAS0DbpIOFD76MDrv+7EFxTG2JTjuH/wPdoIN+S30dkMiNPVWyjC2vVVuKzn+F2wbN eBJZG36Yo9BfKP7SSIVl3OvYwaxJQ0iYgrkZ+q7bTQO3vvPd9zeF8WjAfxPpgIEQITgP 59KWz/nM3Md8jV6IhctHltgFWtfiKaFr2YbRomgApA6QLAkDtANGNGBSmg2KqtGoVDii /4y45eB8PVB6eZD827jRVFWbRxWhPIOenzShrSVsqHqTvExo+kxpIn3BXOQtlcqNnTC9 wKWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:dkim-signature:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=paFyw96PHu2E+wS2cU56KHqIL7GZKeucrHRygiWtSb0=; b=K/QHndriJPMdU1zzbYTSMJX+zyRGAj1vzVCWRdUx8X50qFkPaFSmFzcEO8af84r1eA vydkVwVv9smgqshDrLpOISMdHe/LW2o/7PhPDMdaYbLPp/XTbB8sYwTvTBgUXzsVgVn0 mEpcU/2KDvPw6O7QwIA4dbM6wx6yjx8mrgjAmCyFaKCp1IkQApNpZ3uTnGE3wEfuGKNw EH2N16zSH8e6Yss4WO+0hfPKObb5QP957dTBBCfzieYAa0CAfRGR+rLIK4HSP+N9xdLr v8hK4MMwyxO/IU7J9axo04rYdihNrB0d7FakiOis9WfXt7N2nVPXy1nTMuMf7WWyhnXA s5Xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=kXymcBJl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v24si966322otq.87.2020.01.15.01.02.01; Wed, 15 Jan 2020 01:02:14 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nvidia.com header.s=n1 header.b=kXymcBJl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nvidia.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729173AbgAOJA5 (ORCPT + 99 others); Wed, 15 Jan 2020 04:00:57 -0500 Received: from hqnvemgate26.nvidia.com ([216.228.121.65]:19295 "EHLO hqnvemgate26.nvidia.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726513AbgAOJA5 (ORCPT ); Wed, 15 Jan 2020 04:00:57 -0500 Received: from hqpgpgate101.nvidia.com (Not Verified[216.228.121.13]) by hqnvemgate26.nvidia.com (using TLS: TLSv1.2, DES-CBC3-SHA) id ; Wed, 15 Jan 2020 01:00:36 -0800 Received: from hqmail.nvidia.com ([172.20.161.6]) by hqpgpgate101.nvidia.com (PGP Universal service); Wed, 15 Jan 2020 01:00:56 -0800 X-PGP-Universal: processed; by hqpgpgate101.nvidia.com on Wed, 15 Jan 2020 01:00:56 -0800 Received: from [10.21.133.51] (172.20.13.39) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 15 Jan 2020 09:00:53 +0000 Subject: Re: [PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free To: Dmitry Osipenko , Laxman Dewangan , Vinod Koul , Dan Williams , Thierry Reding , =?UTF-8?B?TWljaGHFgiBNaXJvc8WCYXc=?= CC: , , References: <20200112173006.29863-1-digetx@gmail.com> <20200112173006.29863-2-digetx@gmail.com> <4c1b9e48-5468-0c03-2108-158ee814eea8@nvidia.com> <1327bb21-0364-da26-e6ed-ff6c19df03e6@gmail.com> From: Jon Hunter Message-ID: Date: Wed, 15 Jan 2020 09:00:51 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <1327bb21-0364-da26-e6ed-ff6c19df03e6@gmail.com> X-Originating-IP: [172.20.13.39] X-ClientProxiedBy: HQMAIL107.nvidia.com (172.20.187.13) To HQMAIL107.nvidia.com (172.20.187.13) Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nvidia.com; s=n1; t=1579078836; bh=paFyw96PHu2E+wS2cU56KHqIL7GZKeucrHRygiWtSb0=; h=X-PGP-Universal:Subject:To:CC:References:From:Message-ID:Date: User-Agent:MIME-Version:In-Reply-To:X-Originating-IP: X-ClientProxiedBy:Content-Type:Content-Language: Content-Transfer-Encoding; b=kXymcBJli9uYuViTVLVu7cY+j82mJiedus8XGrk1bQVmvcrGZ8DGbQTqW+ZWmt0wa JXeaTQYJxfjXPFTzXNgLMuJtKTItJZj5yxCp5pzUDkezwWXUWZimIODQdcpEKBEi9c nOp+gkiGZoSCoFwyElBmrWj0sjOyGGKCSv3loTuan7quNIUUQF+aM4ysEprwqsONN1 10N3MhQ2jyXK87Mdw6bBIPb86QiPu01EloyPU1sGbuKfyXXFvK+JZQLHw7qJfZmKqu jTHFnsTQov/8beqHFx7RYVJY575dJj5AjNPGGM6UjMZw3MjM69Knp2q95VVNhPSwA5 A8q/N8YfsTY5A== Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 14/01/2020 20:33, Dmitry Osipenko wrote: > 14.01.2020 18:09, Jon Hunter =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >> >> On 12/01/2020 17:29, Dmitry Osipenko wrote: >>> I was doing some experiments with I2C and noticed that Tegra APB DMA >>> driver crashes sometime after I2C DMA transfer termination. The crash >>> happens because tegra_dma_terminate_all() bails out immediately if pend= ing >>> list is empty, thus it doesn't release the half-completed descriptors >>> which are getting re-used before ISR tasklet kicks-in. >> >> Can you elaborate a bit more on how these are getting re-used? What is >> the sequence of events which results in the panic? I believe that this >> was also reported in the past [0] and so I don't doubt there is an issue >> here, but would like to completely understand this. >> >> Thanks! >> Jon >> >> [0] https://lore.kernel.org/patchwork/patch/675349/ >> >=20 > In my case it happens in the touchscreen driver during of the > touchscreen's interrupt handling (in a threaded IRQ handler) + CPU is > under load and there is other interrupts activity. So what happens here > is that the TS driver issues one I2C transfer, which fails with > (apparently bogus) timeout (because DMA descriptor is completed and > removed from the pending list, but tasklet not executed yet), and then > TS immediately issues another I2C transfer that re-uses the > yet-incompleted descriptor. That's my understanding. OK, but what is the exact sequence that it allowing it to re-use the incompleted descriptor? Thanks Jon --=20 nvpublic