Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp3208291pxb; Mon, 9 Nov 2020 05:38:02 -0800 (PST) X-Google-Smtp-Source: ABdhPJyfl/ZNGEUH3qb2X8SkB/aPV/MpuUzgH+0VHnqfqsAAtehTNnAiPAjuK64oGhobgxHujUxG X-Received: by 2002:a17:906:7247:: with SMTP id n7mr14779751ejk.174.1604929081907; Mon, 09 Nov 2020 05:38:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604929081; cv=none; d=google.com; s=arc-20160816; b=xHwiHZBBLJ8Gx9wt/u7K6T7cfZke61dBfvQKE2Ebto2LYdSxWhK0umcO9ObEJCWQRj OrZ8sGtYxXbrzDhyfz395NoASHRZp0eaFnjsCHMQiExnkSoiLqXtSMrECdiYUcJuzSTk 4FSKo3icIJeGbUudqdSCpm4MBPseQG2uTlLLd0fSYKc1bmPBJt/eB/UXQm9jknUkGTwo ryvhngVSWk8DoakDOLBWo5pFKacjSHIS4Kj8FgElTePiwCbgomiEwOnO02vrWhmwiGyG 4wblUwIU4CQI+x8bFB+W+PDGsrKL+hBDGK1z5lJ/FT1Gtd7M0/LesU9JAvjMRFLRuKjs ftzQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Cy23oHUM9NOprZe1EnrwnQMGV6NTujgU3Lv/3NtCsrc=; b=etZyB/bS3mb3z60SFFqsqGYHwj3wBO0pJPH1HQue+UI7vna8SK2djbFMnepWo2yovK vatkdcBUmUNZKphGEiKT86e4b9lGGttDH2EB7vdnV9Tbnw9/GEeCTtLXSSAVEzrQnQms 8J+Wo0KcBAuEEeGgK4v292LyPZxrhECcgbkPyaETN5cNMSeymRnP3RRlx/EiojZ715i6 fh6FLwl3PzUAEiLxJ3AXG4wy8NLHClBSYt3v569nvK657ysDyatTemfNtmlZzoHaaPks PgDdhOV1GgEDfmNgBYPJKqFhHM4DL6O0bOYYYsXxT2lP4fVA0LV0DWebN+M/tmC6kwPK 9fnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1YOkhjYv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y99si6868916ede.294.2020.11.09.05.37.38; Mon, 09 Nov 2020 05:38:01 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1YOkhjYv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730755AbgKINEu (ORCPT + 99 others); Mon, 9 Nov 2020 08:04:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:56432 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730565AbgKINCs (ORCPT ); Mon, 9 Nov 2020 08:02:48 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B9E04221F1; Mon, 9 Nov 2020 13:02:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1604926968; bh=KWaRCCHd41F6UqxgvZjcc7BERVdpeQtdTzZKmogmbxk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1YOkhjYvqgrIezFqqExhMj6JZzrE2Zo/vr0tSTfVaM8JpltTbTjK2Bu/z04onI4iW XISCgaXo3/fqHyFrowNpDzpd/zkm2TNl+cgAkg5GH2IrOsZv9x8G7u8Yp0+y5lfk2h Y/hvQrPi+c2bWbYX3DZOt5m4aXnLm96jBO0yVTxQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paul Cercueil , Artur Rojek , Vinod Koul Subject: [PATCH 4.9 065/117] dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status Date: Mon, 9 Nov 2020 13:54:51 +0100 Message-Id: <20201109125028.752789672@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201109125025.630721781@linuxfoundation.org> References: <20201109125025.630721781@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paul Cercueil commit baf6fd97b16ea8f981b8a8b04039596f32fc2972 upstream. The jz4780_dma_tx_status() function would check if a channel's cookie state was set to 'completed', and if not, it would enter the critical section. However, in that time frame, the jz4780_dma_chan_irq() function was able to set the cookie to 'completed', and clear the jzchan->vchan pointer, which was deferenced in the critical section of the first function. Fix this race by checking the channel's cookie state after entering the critical function and not before. Fixes: d894fc6046fe ("dmaengine: jz4780: add driver for the Ingenic JZ4780 DMA controller") Cc: stable@vger.kernel.org # v4.0 Signed-off-by: Paul Cercueil Reported-by: Artur Rojek Tested-by: Artur Rojek Link: https://lore.kernel.org/r/20201004140307.885556-1-paul@crapouillou.net Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman --- drivers/dma/dma-jz4780.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/dma/dma-jz4780.c +++ b/drivers/dma/dma-jz4780.c @@ -567,11 +567,11 @@ static enum dma_status jz4780_dma_tx_sta enum dma_status status; unsigned long flags; + spin_lock_irqsave(&jzchan->vchan.lock, flags); + status = dma_cookie_status(chan, cookie, txstate); if ((status == DMA_COMPLETE) || (txstate == NULL)) - return status; - - spin_lock_irqsave(&jzchan->vchan.lock, flags); + goto out_unlock_irqrestore; vdesc = vchan_find_desc(&jzchan->vchan, cookie); if (vdesc) { @@ -588,6 +588,7 @@ static enum dma_status jz4780_dma_tx_sta && jzchan->desc->status & (JZ_DMA_DCS_AR | JZ_DMA_DCS_HLT)) status = DMA_ERROR; +out_unlock_irqrestore: spin_unlock_irqrestore(&jzchan->vchan.lock, flags); return status; }