Received: by 10.223.164.202 with SMTP id h10csp591684wrb;
        Tue, 14 Nov 2017 06:35:39 -0800 (PST)
X-Google-Smtp-Source: AGs4zMaxxc6+WNLGin2mLq+iD03GGDAVC75eIrvs96B+GjNIpOFNkX7cEluJWNOA8rx7TJZvz8MM
X-Received: by 10.101.65.197 with SMTP id b5mr12163835pgq.91.1510670139593;
        Tue, 14 Nov 2017 06:35:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510670139; cv=none;
        d=google.com; s=arc-20160816;
        b=QuFB7Dn1eAUmriie+66EyNuTlQwFwZMn5+xdqAzvgBSajR4Lsb4VDFpT6Le7gnzvuI
         gV+yDlXwnVC4EMO1CVYdlZPY/AsdMXrSvvOiTUjOvYy3pkVQHvF8X2pB2RvYK3+S680A
         Lce7FkamafCeVCh9h2ZlrxAMlFwXmhYM1ZjvESdAaYyO7ucQ3fP2R8ykxREQ2msTTD1z
         VOfWxIxuuOYDLsR6YbQlnEh9VbJ0SIGx2dGppQagB602nDJ6daORnAdtDwoDxIudKH59
         OxO6LZwnpR+3yjbm37cCZAcy4+BQpKiFh6daqpp827/4eHEF2O8Il3vPfqUcCi76kTYx
         eJTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:message-id:date:subject:cc
         :to:from:dkim-signature:arc-authentication-results;
        bh=t41R9WG4PU1ilD/oarM/TrRwitfuzF13IrzLC4Er3jE=;
        b=pmhrdSNW6QmbMXRacnuO+bdueSZiW4SIz5N8xa45liP2ot/01qXMWbakhIeTJ5mR2V
         LEB2ggt5uBmdOOnoghdxpfcYBpbmhNHyaNwBBsXlXpG2Dfeppll8vR89VJu/kiK9pIrM
         Lhcwtnm30AXATGSW4gN7KwFTrLm6o07IZS+HCd6XtTAYcqloCJdrnPG+T3BwL3/vstiY
         bMfNu9lN1faa9Kw12i0z3+QTkfy9ZW1Y70gi73vvf6grMhUsql9C+29004fQWyqFJpHK
         QoJBqgWF7NsYqcv5LqWWxYGFmklEIRiTENX7lKr6zVqMIub0oUFHstjcFS7jUOdJW2RE
         IWSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=CNQysVAx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b5si15390918pgc.137.2017.11.14.06.35.27;
        Tue, 14 Nov 2017 06:35:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ti.com header.s=ti-com-17Q1 header.b=CNQysVAx;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=ti.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755563AbdKNOcV (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 88 others); Tue, 14 Nov 2017 09:32:21 -0500
Received: from lelnx193.ext.ti.com ([198.47.27.77]:10839 "EHLO
        lelnx193.ext.ti.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755483AbdKNOcN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 14 Nov 2017 09:32:13 -0500
Received: from dlelxv90.itg.ti.com ([172.17.2.17])
        by lelnx193.ext.ti.com (8.15.1/8.15.1) with ESMTP id vAEEVZPx014351;
        Tue, 14 Nov 2017 08:31:35 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ti.com;
        s=ti-com-17Q1; t=1510669895;
        bh=CAzDOTSf2JeJzEOMWW5AyiiXyULi99FPrUMTT8DlRWU=;
        h=From:To:CC:Subject:Date;
        b=CNQysVAxWYesQBi+8rKJ8aQRCO20L8tmzGlp3YPUMhQKnl7OQfpj/2PyBFayCR98k
         VMFNuPeEm7aDj641VMaglzq1MSF7xwd4GIzYdv+nBhzlD5OkRkuEQMzaf8vyRKUr37
         1VYX9F0yQeFJ4SI/Ye1JZxVhpx6ExYEYvcbJtCv8=
Received: from DLEE115.ent.ti.com (dlee115.ent.ti.com [157.170.170.26])
        by dlelxv90.itg.ti.com (8.14.3/8.13.8) with ESMTP id vAEEVZor032510;
        Tue, 14 Nov 2017 08:31:35 -0600
Received: from DLEE104.ent.ti.com (157.170.170.34) by DLEE115.ent.ti.com
 (157.170.170.26) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34; Tue, 14
 Nov 2017 08:31:35 -0600
Received: from dlep32.itg.ti.com (157.170.170.100) by DLEE104.ent.ti.com
 (157.170.170.34) with Microsoft SMTP Server (version=TLS1_0,
 cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.845.34 via Frontend Transport;
 Tue, 14 Nov 2017 08:31:35 -0600
Received: from feketebors.ti.com (ileax41-snat.itg.ti.com [10.172.224.153])
        by dlep32.itg.ti.com (8.14.3/8.13.8) with ESMTP id vAEEVX71018797;
        Tue, 14 Nov 2017 08:31:33 -0600
From:   Peter Ujfalusi <peter.ujfalusi@ti.com>
To:     <vinod.koul@intel.com>
CC:     <linux-arm-kernel@lists.infradead.org>,
        <dmaengine@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
        <lars@metafoo.de>
Subject: [PATCH 00/10] dmaengine: fix race with vchan_complete
Date:   Tue, 14 Nov 2017 16:32:02 +0200
Message-ID: <20171114143212.8311-1-peter.ujfalusi@ti.com>
X-Mailer: git-send-email 2.15.0
MIME-Version: 1.0
Content-Type: text/plain
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

With the introduction of .device_synchronize callback it was thought that the
race caused crash observed in vchan_complete is fixed, but unfortunately it can
still happen.

The observed scenario (really hard to reproduce) is:
Cyclic mode
- DMA period interrupt
 - call to vchan_cyclic_callback() which sets vc->cyclic to vd and schedules the
   vchan_complete tasklet
- .terminate_all is called
 - we make sure that no further DMA irqs are going to be handled, but the
   tasklet had been already scheduled
 - we free up the descriptor to avoid leaking memory
- the vchan_complete tasklet starts to execute and it checks vc->cyclic, which
  is not NULL, saves the vd pointer (which points to an already freed up memory)
  and try to access it later to call the callback
- the tasklet_kill() in .device_synchronize will make sure that the tasklet is
  going to finish it's execution if it is already scheduled, it can only help if
  the tasklet is yet to be executed.

At this point it is just matter of luck if the vc->cyclic is still pointing to
an unchanged memory location or it is taken into use and thus it is corrupted.

My first approach was to just set vc->cyclic to NULL in the .terminate_all
callback, but that still have theoritical race: if the vchan_complete is
executing and it saves the vd from vc->cyclic (protected by the vc->lock). If at
that point the .terminate_all is called it will wait for the lock and start
executing. _if_ the .terminate_all free up the vd before the vchan_complete
reaches the point when it is going to call the callback, then we have the race.

The series will do this:
- the drivers should call vchan_terminate_vdesc() instead of directly freeing up
  the descriptor. vchan_terminate_vdesc() will save the vd as vc->vd_terminated
  and will set the vc->cyclic to NULL, all while holding the lock.
- the drivers must implement the .device_synchronize callback and within the
  vchan_synchronize() we free up the vc->vd_terminated after we killed the
  tasklet.

I have tested this on platforms using TI's eDMA and sDMA and have not seen any
side effect so far and a client tested similar set on a setup where it was easy
to reproduce the race.

By looking for similar patterns in other drivers I have implemented the fix for
the ones where it looked straight forward.

Regards,
Peter
---
Peter Ujfalusi (10):
  dmaengine: virt-dma: Add helper to free/reuse a descriptor
  dmaengine: virt-dma: Support for race free transfer termination
  dmaengine: omap-dma: Use vchan_terminate_vdesc() instead of desc_free
  dmaengine: edma: Use vchan_terminate_vdesc() instead of desc_free
  dmaengine: bcm2835-dma: Use vchan_terminate_vdesc() instead of
    desc_free
  dmaengine: dma-jz4780: Use vchan_terminate_vdesc() instead of
    desc_free
  dmaengine: amba-pl08x: Use vchan_terminate_vdesc() instead of
    desc_free
  dmaengine: img-mdc-dma: Use vchan_terminate_vdesc() instead of
    desc_free
  dmaengine: k3dma: Use vchan_terminate_vdesc() instead of desc_free
  dmaengine: s3c24xx-dma: Use vchan_terminate_vdesc() instead of
    desc_free

 drivers/dma/amba-pl08x.c  | 11 ++++++++++-
 drivers/dma/bcm2835-dma.c | 10 +++++++++-
 drivers/dma/dma-jz4780.c  | 10 +++++++++-
 drivers/dma/edma.c        |  7 ++-----
 drivers/dma/img-mdc-dma.c | 17 ++++++++++++-----
 drivers/dma/k3dma.c       | 10 +++++++++-
 drivers/dma/omap-dma.c    |  2 +-
 drivers/dma/s3c24xx-dma.c | 11 ++++++++++-
 drivers/dma/virt-dma.c    |  5 +----
 drivers/dma/virt-dma.h    | 44 ++++++++++++++++++++++++++++++++++++++++++++
 10 files changed, 107 insertions(+), 20 deletions(-)

-- 
Peter

Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki


From 1585866334898387852@xxx Mon Dec 04 15:06:32 +0000 2017
X-GM-THRID: 1584965695969556311
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread