diff mbox

[V2] dmaengine: qcom_hidma: release the descriptor before the callback

Message ID 1469974266-28023-1-git-send-email-okaya@codeaurora.org (mailing list archive)
State Changes Requested
Headers show

Commit Message

Sinan Kaya July 31, 2016, 2:11 p.m. UTC
There is a race condition between data transfer callback and descriptor
free code. The callback routine may decide to clear the resources even
though the descriptor has not yet been freed.

Instead of calling the callback first and then releasing the memory,
this code is changing the order to return the descriptor back to the
free pool and then call the user provided callback.

Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
---
 drivers/dma/qcom/hidma.c | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

Comments

Timur Tabi July 31, 2016, 2:13 p.m. UTC | #1
Sinan Kaya wrote:
> +	list_for_each_entry_safe(mdesc, next, &list, node) {
>   		enum dma_status llstat;
> +		dma_async_tx_callback callback;
> +		void *param;
>
>   		desc = &mdesc->desc;
>
> @@ -132,18 +135,19 @@ static void hidma_process_completed(struct hidma_chan *mchan)
>   		spin_unlock_irqrestore(&mchan->lock, irqflags);
>
>   		llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch);
> -		if (desc->callback && (llstat == DMA_COMPLETE))
> -			desc->callback(desc->callback_param);
> +		callback = desc->callback;
> +		param = desc->callback_param;

It looks to me like 'callback' and 'param' are never actually used.
Timur Tabi July 31, 2016, 2:14 p.m. UTC | #2
Timur Tabi wrote:
>>
>
> It looks to me like 'callback' and 'param' are never actually used.

Never mind.  I really shouldn't review code before my morning coffee.
diff mbox

Patch

diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c
index 41b5c6d..4aaceab 100644
--- a/drivers/dma/qcom/hidma.c
+++ b/drivers/dma/qcom/hidma.c
@@ -111,6 +111,7 @@  static void hidma_process_completed(struct hidma_chan *mchan)
 	struct dma_async_tx_descriptor *desc;
 	dma_cookie_t last_cookie;
 	struct hidma_desc *mdesc;
+	struct hidma_desc *next;
 	unsigned long irqflags;
 	struct list_head list;
 
@@ -122,8 +123,10 @@  static void hidma_process_completed(struct hidma_chan *mchan)
 	spin_unlock_irqrestore(&mchan->lock, irqflags);
 
 	/* Execute callbacks and run dependencies */
-	list_for_each_entry(mdesc, &list, node) {
+	list_for_each_entry_safe(mdesc, next, &list, node) {
 		enum dma_status llstat;
+		dma_async_tx_callback callback;
+		void *param;
 
 		desc = &mdesc->desc;
 
@@ -132,18 +135,19 @@  static void hidma_process_completed(struct hidma_chan *mchan)
 		spin_unlock_irqrestore(&mchan->lock, irqflags);
 
 		llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch);
-		if (desc->callback && (llstat == DMA_COMPLETE))
-			desc->callback(desc->callback_param);
+		callback = desc->callback;
+		param = desc->callback_param;
 
 		last_cookie = desc->cookie;
 		dma_run_dependencies(desc);
-	}
 
-	/* Free descriptors */
-	spin_lock_irqsave(&mchan->lock, irqflags);
-	list_splice_tail_init(&list, &mchan->free);
-	spin_unlock_irqrestore(&mchan->lock, irqflags);
+		spin_lock_irqsave(&mchan->lock, irqflags);
+		list_move(&mdesc->node, &mchan->free);
+		spin_unlock_irqrestore(&mchan->lock, irqflags);
 
+		if (callback && (llstat == DMA_COMPLETE))
+			callback(param);
+	}
 }
 
 /*