Received: by 2002:a05:6622:f08:0:0:0:0 with SMTP id l8csp4481505ivc; Tue, 3 Nov 2020 13:10:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzabcOKf0cqstUeTKKYXGwYT9U6+yN4f1QOgTu5LYhJwqBYWSkCA42v8fksJdWXMBNZqKVr X-Received: by 2002:a17:906:284b:: with SMTP id s11mr22664127ejc.326.1604437825502; Tue, 03 Nov 2020 13:10:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604437825; cv=none; d=google.com; s=arc-20160816; b=lPctghaM2huXA3ucJcwaahXVBl4+rYBUKgeB8zJQOlU11LOS79pQGwp8Ea4gHDkFcM WTrkB0gSQgjyY1BY/xJfX/gwt9UKiq2Fd7z3+kTS++mbG9Te1Azq2qaSiUuCZPpwMaV6 zHZAtiQKyVmuNqukJw9lPjDl6t+fM15eF8DORlSZ8/0hz48mje5ku0ijwoNQnG2sTzvT XZZfLyoVjfywo7wAHTWVh4JopMts5eOgXiGpwNxKC4qeeieUn+NUi5GscXeza4BMMfKa ITFUPp/JUbZWyNiiwQRf5GIiY2uod1oQqsF/gi75Hhivg3H6LSo2lTqTgWkwOnZmEJ57 5NZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=+f7qsfVrLwKUUa+BPWHQO9oIFTBOI611FQSHJs16haU=; b=pYD7wj+/JY4p8hjLPEShGXzOETsfYyl1Yehazq80WZq1ZkTRGDscb5PfMR/9IDhj8l ts5g/HtYXHIpoxCgfsv3blQl7/n6YBoE0EudMR2yL4vaOXpgjoFiIy3heuFUPEcyArk1 8IM7N4U90OAXuCjNksXCiY4hSLY8gvpMVE0YnHXwDvNQi7DtB4ZuBFUMgBbUcuM0JXDu Tmc4N1o7d0T6RdTOqBXoCRbsPl9+2ElXFf7h3vClaTVVBfT7+pbEQOIkIeAL6t1oN0Nd G31TCRwHZQUOa+XnyX9PWSZQVZjts5kVpBvx0NG1Z8hBukww1496/KFuF5T9WH1lD/nc miNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mdffgN+y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u11si1459907edx.602.2020.11.03.13.10.02; Tue, 03 Nov 2020 13:10:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mdffgN+y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388036AbgKCVGw (ORCPT + 99 others); Tue, 3 Nov 2020 16:06:52 -0500 Received: from mail.kernel.org ([198.145.29.99]:45798 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388212AbgKCVGq (ORCPT ); Tue, 3 Nov 2020 16:06:46 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5BBDD206B5; Tue, 3 Nov 2020 21:06:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604437605; bh=DvEpMmqZWochAGWFLIfDIUJdSv6B7FqOuLt4kj04R5A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mdffgN+yWTq4+swyXJXT8rUz77JcXPZOQnNZxQKav3pRZo4VbPJ4F91IlTYuaIirS 4RJ0Gdr/ZY2JDOV6fq896XEbYtu0xfrwZb0PMQynMQwVyut0cAl/Yk0WElQfeUaasf /UsSHF+luwKQEj+iiAPgTinvWoByi2q36RI0vDMo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Cercueil , Artur Rojek , Vinod Koul Subject: [PATCH 4.19 148/191] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status Date: Tue, 3 Nov 2020 21:37:20 +0100 Message-Id: <20201103203246.582987354@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203232.656475008@linuxfoundation.org> References: <20201103203232.656475008@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Cercueil commit baf6fd97b16ea8f981b8a8b04039596f32fc2972 upstream. The jz4780_dma_tx_status() function would check if a channel's cookie state was set to 'completed', and if not, it would enter the critical section. However, in that time frame, the jz4780_dma_chan_irq() function was able to set the cookie to 'completed', and clear the jzchan->vchan pointer, which was deferenced in the critical section of the first function. Fix this race by checking the channel's cookie state after entering the critical function and not before. Fixes: d894fc6046fe ("dmaengine: jz4780: add driver for the Ingenic JZ4780 DMA controller") Cc: stable@vger.kernel.org # v4.0 Signed-off-by: Paul Cercueil Reported-by: Artur Rojek Tested-by: Artur Rojek Link: https://lore.kernel.org/r/20201004140307.885556-1-paul@crapouillou.net Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman --- drivers/dma/dma-jz4780.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/dma/dma-jz4780.c +++ b/drivers/dma/dma-jz4780.c @@ -574,11 +574,11 @@ static enum dma_status jz4780_dma_tx_sta enum dma_status status; unsigned long flags; + spin_lock_irqsave(&jzchan->vchan.lock, flags); + status = dma_cookie_status(chan, cookie, txstate); if ((status == DMA_COMPLETE) || (txstate == NULL)) - return status; - - spin_lock_irqsave(&jzchan->vchan.lock, flags); + goto out_unlock_irqrestore; vdesc = vchan_find_desc(&jzchan->vchan, cookie); if (vdesc) { @@ -595,6 +595,7 @@ static enum dma_status jz4780_dma_tx_sta && jzchan->desc->status & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) status = DMA_ERROR; +out_unlock_irqrestore: spin_unlock_irqrestore(&jzchan->vchan.lock, flags); return status; }