Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp803420pxb; Tue, 3 Nov 2020 13:00:11 -0800 (PST) X-Google-Smtp-Source: ABdhPJyEmq/VpHNjt/im/AWk598/wfh5JTFKSQGPaMHlG/fMMCkc5OCcxryRq6CvjDpuGFAcOxgN X-Received: by 2002:a17:906:1381:: with SMTP id f1mr21141247ejc.87.1604437211477; Tue, 03 Nov 2020 13:00:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604437211; cv=none; d=google.com; s=arc-20160816; b=XuHQpmUMeCH1DeJMdBOF5EMIEnqX6bBHkDZdLXmaYBQQpBHqPkLmJ2HaoZ4H5b2Sak e1C+MXilDRUmQvGNtBxaXMwA6JG6J9/zXhGW/OBItxg+hK0B1+EbEwyXxtF1S4IIvqCJ vXjpCRQEG8JmOXD7OL+bbVikY4QFrjAWKWJuuW4CMtaljTrrEkvyoqSYCEpT9+0GOENI jMSz0zyVCIFwNXQsCSFT7xYJ5Vh7ByhX1aLCtdTXxBknN1aUKVvXt6FZmH5kYm++ZB2p L8f9NbOBvPtF5qxUGvufBNVeRRnpfluh3ueGku22vprMwegTv3cm5miGR5YHEo0Q0AkJ k5Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=35t1Z/wS66jdMIg0J/FRiv8LaqepW73W8HVbmvyC1PU=; b=0C2ZsvR9hO8xUS6vpoBg7rxfECEj9wItYbEO5shs+EOO6XY/S5Xbb2ZJhM5bnkOVLw chg47+6IRuFuaFCr230/MYkd2/62x6VvMXkoVWggi4E7gQuMhNwIjmDfSGZW94YFOL30 4YRbzaFyv2rcZLJYyO+cjmyROupVayE8EKvYBqP/OL6kSgVd+IIbEVLo5fML0IWSmNtm ci4P+DTJExMKVVxf7GIZfcFpNVLb3P2MIzW+7qyC5yy4sXzobMzyvt7gXDnYiI0jCifi aZI+1fqL3/LG1UTIGqGyYOQy+Iqc0LvDl9GHvqhCRNOCHIhixd4ht4jMSDcm37DgSIab 0AuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E0fHlcND; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m20si19545eje.363.2020.11.03.12.59.48; Tue, 03 Nov 2020 13:00:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E0fHlcND; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732284AbgKCU6c (ORCPT + 99 others); Tue, 3 Nov 2020 15:58:32 -0500 Received: from mail.kernel.org ([198.145.29.99]:32992 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732967AbgKCU6a (ORCPT ); Tue, 3 Nov 2020 15:58:30 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 003FA2053B; Tue, 3 Nov 2020 20:58:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604437109; bh=Hd4XbZiTS7NDDUJEkgjX4l37jNWVlR3STL53BlmaYcw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E0fHlcNDrJ76QBHv+iNDG7+vxda8Ggc2ziFRIW4XYS1t2hTLmaPsr0ku16OdjXf41 acXw1wzdXkwKS8OQB3IIlVVsfiyuS9Uw8pn7O14SEsWRd1R8XeW4yprTVqQa3ZBToG oiGFp2NE/sHJxTddqNZ7KfUJLaXiJmRoF4ySFaPk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Cercueil , Artur Rojek , Vinod Koul Subject: [PATCH 5.4 149/214] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status Date: Tue, 3 Nov 2020 21:36:37 +0100 Message-Id: <20201103203304.757947181@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203249.448706377@linuxfoundation.org> References: <20201103203249.448706377@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Cercueil commit baf6fd97b16ea8f981b8a8b04039596f32fc2972 upstream. The jz4780_dma_tx_status() function would check if a channel's cookie state was set to 'completed', and if not, it would enter the critical section. However, in that time frame, the jz4780_dma_chan_irq() function was able to set the cookie to 'completed', and clear the jzchan->vchan pointer, which was deferenced in the critical section of the first function. Fix this race by checking the channel's cookie state after entering the critical function and not before. Fixes: d894fc6046fe ("dmaengine: jz4780: add driver for the Ingenic JZ4780 DMA controller") Cc: stable@vger.kernel.org # v4.0 Signed-off-by: Paul Cercueil Reported-by: Artur Rojek Tested-by: Artur Rojek Link: https://lore.kernel.org/r/20201004140307.885556-1-paul@crapouillou.net Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman --- drivers/dma/dma-jz4780.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/dma/dma-jz4780.c +++ b/drivers/dma/dma-jz4780.c @@ -639,11 +639,11 @@ static enum dma_status jz4780_dma_tx_sta unsigned long flags; unsigned long residue = 0; + spin_lock_irqsave(&jzchan->vchan.lock, flags); + status = dma_cookie_status(chan, cookie, txstate); if ((status == DMA_COMPLETE) || (txstate == NULL)) - return status; - - spin_lock_irqsave(&jzchan->vchan.lock, flags); + goto out_unlock_irqrestore; vdesc = vchan_find_desc(&jzchan->vchan, cookie); if (vdesc) { @@ -660,6 +660,7 @@ static enum dma_status jz4780_dma_tx_sta && jzchan->desc->status & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) status = DMA_ERROR; +out_unlock_irqrestore: spin_unlock_irqrestore(&jzchan->vchan.lock, flags); return status; }