Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp833427pxb; Tue, 3 Nov 2020 13:52:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJysQk5tGwMVFHMC9YX7wU9H3qs/kdoWNws1n5L6BVePXGp9hMxXar4LLxGIxrfWkPP8ywEq X-Received: by 2002:a17:906:d285:: with SMTP id ay5mr21750618ejb.84.1604440374605; Tue, 03 Nov 2020 13:52:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604440374; cv=none; d=google.com; s=arc-20160816; b=vaADH1iJXMFKiYtsmGz0G0XF8NkMPnUmk3LD+fuTCruHln/WC6QgiCL57ymyRlaIB7 X9W/GlwSQrnDaToUzbro2GQDW9QmZyunxxp19Ygg7+HMTwSOjgKr5OgbsxDbVe9O0Qbm Qfan++6ojc/lxD8mgdK5GEiPZ0IGmudhEqPOX9VSKTK/k3uEh7NXtWMa8OwQvJbYI9/p YoAjWNQSMsI0jmXs3Y4E5vww0ktqVZm0TQXpNVcHAGn/nE+eRkeukfTKo/TAo7WhfgSQ xLYO4fJe8w8YeIFfyMqIig8KTXTWEaJZwAeDRhW5go2KcDCDF06wQFEZshIuYuezLfGo tXcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=35t1Z/wS66jdMIg0J/FRiv8LaqepW73W8HVbmvyC1PU=; b=BjfTB8Wdztzx2wcVbyqMcDS249w8iRuhju7fHPSyGCJJA4rP2Snz4UUwOXLX1U1HpJ Zj0TbZYaL0nPAXHarMIXkOWunYDWOb6swUy9htDYBf5sP/vtyXX2g6bn/tNSBELnX6oM 3RiPp5fCkHj1HhEwtoGVK2WFsPhdqIj3AvXpjSyufOwRZAKyWVhzK02QZPK+9Bh6uTVZ 1JK51KVRNFXT7834Q34Xi+dlPGTTZKphFV9jrc7uppndau9Ve0ValbWmkiNL7XRZbAem d5mgzkjqe8eSNEreRw3mMmvhKVBccv6fucgETh0Qw3meK9UfEVD0NIHYFcQHAFcA+d0a DFWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="BILkHH/n"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f14si9379110edj.587.2020.11.03.13.52.31; Tue, 03 Nov 2020 13:52:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="BILkHH/n"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731766AbgKCVuD (ORCPT + 99 others); Tue, 3 Nov 2020 16:50:03 -0500 Received: from mail.kernel.org ([198.145.29.99]:42144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730816AbgKCUtV (ORCPT ); Tue, 3 Nov 2020 15:49:21 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 08D5C22404; Tue, 3 Nov 2020 20:49:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604436560; bh=Hd4XbZiTS7NDDUJEkgjX4l37jNWVlR3STL53BlmaYcw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BILkHH/n7aqrbyRDcVISO7MBSJbfjPO5GC9TVnDaaDEVNwCZDfr/xbzD+FTjIPOih bdJgEZ4YKt8AnpTgREzuXbWNziXR+JM3uJZ5OiWCEodd77h1ZyEmD58rRxBkUMQ40C fzDfe4RhgzSl76nVgMluQQh8PhkFYuzFtIwk5XCQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Cercueil , Artur Rojek , Vinod Koul Subject: [PATCH 5.9 265/391] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status Date: Tue, 3 Nov 2020 21:35:16 +0100 Message-Id: <20201103203404.904108363@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201103203348.153465465@linuxfoundation.org> References: <20201103203348.153465465@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Cercueil commit baf6fd97b16ea8f981b8a8b04039596f32fc2972 upstream. The jz4780_dma_tx_status() function would check if a channel's cookie state was set to 'completed', and if not, it would enter the critical section. However, in that time frame, the jz4780_dma_chan_irq() function was able to set the cookie to 'completed', and clear the jzchan->vchan pointer, which was deferenced in the critical section of the first function. Fix this race by checking the channel's cookie state after entering the critical function and not before. Fixes: d894fc6046fe ("dmaengine: jz4780: add driver for the Ingenic JZ4780 DMA controller") Cc: stable@vger.kernel.org # v4.0 Signed-off-by: Paul Cercueil Reported-by: Artur Rojek Tested-by: Artur Rojek Link: https://lore.kernel.org/r/20201004140307.885556-1-paul@crapouillou.net Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman --- drivers/dma/dma-jz4780.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/dma/dma-jz4780.c +++ b/drivers/dma/dma-jz4780.c @@ -639,11 +639,11 @@ static enum dma_status jz4780_dma_tx_sta unsigned long flags; unsigned long residue = 0; + spin_lock_irqsave(&jzchan->vchan.lock, flags); + status = dma_cookie_status(chan, cookie, txstate); if ((status == DMA_COMPLETE) || (txstate == NULL)) - return status; - - spin_lock_irqsave(&jzchan->vchan.lock, flags); + goto out_unlock_irqrestore; vdesc = vchan_find_desc(&jzchan->vchan, cookie); if (vdesc) { @@ -660,6 +660,7 @@ static enum dma_status jz4780_dma_tx_sta && jzchan->desc->status & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) status = DMA_ERROR; +out_unlock_irqrestore: spin_unlock_irqrestore(&jzchan->vchan.lock, flags); return status; }