From patchwork Tue Nov 14 14:32:04 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Ujfalusi X-Patchwork-Id: 10057805 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BADCA601D3 for ; Tue, 14 Nov 2017 14:47:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B1F2028E4E for ; Tue, 14 Nov 2017 14:47:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A6CFC29065; Tue, 14 Nov 2017 14:47:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 41D6228E4E for ; Tue, 14 Nov 2017 14:47:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=qPfjmE4WZbyw1qbpgqqYvu0o7VBsaPsrPlt6AF14V2k=; b=nRX7dUWFghefmc ERZYOrer2j5E4YZXKr9v6i1SB9ioiKIECf0ilub248/bkV9Oj5WqICpf1p4DFLYXxc/45tXEZgPAa 2wiBj4oRaL99OfpxLFFmXe7QVkxfFu2dQivRydqrjA/m9UkJfgRc7qxjPVLhTwkN4wFkNbOF7zPaa ICu2qjJWXeDgvwCe5IkldQPVXwuQp9Nkx6WwBr6YHcFnNq1sHRXwFPcegMbeGuvFU5WQtvCKaPmCj v+LqJJK3W3gSZEgjK2OOfGJ/VxRcv6HvbdMSS05dB87tTnI/GObhsAq8kplWZ/dBIF/pevXv4d7hs 8tROoSpT3y2JxEXh+OxA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1eEcV5-0005EJ-3z; Tue, 14 Nov 2017 14:47:43 +0000 Received: from lelnx194.ext.ti.com ([198.47.27.80]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1eEcFs-0001us-2E for linux-arm-kernel@lists.infradead.org; Tue, 14 Nov 2017 14:32:02 +0000 Received: from dlelxv90.itg.ti.com ([172.17.2.17]) by lelnx194.ext.ti.com (8.15.1/8.15.1) with ESMTP id vAEEVdV4029738; Tue, 14 Nov 2017 08:31:39 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ti.com; s=ti-com-17Q1; t=1510669899; bh=yXsyK7/8gOvzhwgJEbjVtGdZuA7ZnKp6Ytuz9/sScUE=; h=From:To:CC:Subject:Date:In-Reply-To:References; b=aLh7YrhRyzgKjq4n8s4H3jlWzTabVNPDDtU1JACaSWCvJJnk3zAVhbyu4OLRcQlLF VRnPZWeFX57peMamB6Tjq8/Wdjsaa0ZtvKbJJEoNboKBNULkeKWjWu91m91cscvLpf PpqRI4WxSRVcqb6QjiRaPG0o4XyEGUsmJS6fHccM= Received: from DFLE106.ent.ti.com (dfle106.ent.ti.com [10.64.6.27]) by dlelxv90.itg.ti.com (8.14.3/8.13.8) with ESMTP id vAEEVdiG032591; Tue, 14 Nov 2017 08:31:39 -0600 Received: from DFLE100.ent.ti.com (10.64.6.21) by DFLE106.ent.ti.com (10.64.6.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.845.34; Tue, 14 Nov 2017 08:31:38 -0600 Received: from dlep32.itg.ti.com (157.170.170.100) by DFLE100.ent.ti.com (10.64.6.21) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_RSA_WITH_AES_256_CBC_SHA) id 15.1.845.34 via Frontend Transport; Tue, 14 Nov 2017 08:31:38 -0600 Received: from feketebors.ti.com (ileax41-snat.itg.ti.com [10.172.224.153]) by dlep32.itg.ti.com (8.14.3/8.13.8) with ESMTP id vAEEVX73018797; Tue, 14 Nov 2017 08:31:37 -0600 From: Peter Ujfalusi To: Subject: [PATCH 02/10] dmaengine: virt-dma: Support for race free transfer termination Date: Tue, 14 Nov 2017 16:32:04 +0200 Message-ID: <20171114143212.8311-3-peter.ujfalusi@ti.com> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20171114143212.8311-1-peter.ujfalusi@ti.com> References: <20171114143212.8311-1-peter.ujfalusi@ti.com> MIME-Version: 1.0 X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171114_063200_229071_492F84F4 X-CRM114-Status: GOOD ( 13.62 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dmaengine@vger.kernel.org, lars@metafoo.de, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP Even with the introduced vchan_synchronize() we can face race when terminating a cyclic transfer. If the terminate_all is called after the interrupt handler called vchan_cyclic_callback(), but before the vchan_complete tasklet is called: vc->cyclic is set to the cyclic descriptor, but the descriptor itself was freed up in the driver's terminate_all() callback. When the vhan_complete() is executed it will try to fetch the vc->cyclic vdesc, but the pointer is pointing now to uninitialized memory leading to (hard to reproduce) kernel crash. In order to fix this, drivers should: - call vchan_terminate_vdesc() from their terminate_all callback instead calling their free_desc function to free up the descriptor. - implement device_synchronize callback and call vchan_synchronize(). This way we can make sure that the descriptor is only going to be freed up after the vchan_callback was executed in a safe manner. Signed-off-by: Peter Ujfalusi Reviewed-by: Linus Walleij --- drivers/dma/virt-dma.h | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/drivers/dma/virt-dma.h b/drivers/dma/virt-dma.h index 2edb05505102..b09b75ab0751 100644 --- a/drivers/dma/virt-dma.h +++ b/drivers/dma/virt-dma.h @@ -35,6 +35,7 @@ struct virt_dma_chan { struct list_head desc_completed; struct virt_dma_desc *cyclic; + struct virt_dma_desc *vd_terminated; }; static inline struct virt_dma_chan *to_virt_chan(struct dma_chan *chan) @@ -129,6 +130,25 @@ static inline void vchan_cyclic_callback(struct virt_dma_desc *vd) tasklet_schedule(&vc->task); } +/** + * vchan_terminate_vdesc - Disable pending cyclic callback + * @vd: virtual descriptor to be terminated + * + * vc.lock must be held by caller + */ +static inline void vchan_terminate_vdesc(struct virt_dma_desc *vd) +{ + struct virt_dma_chan *vc = to_virt_chan(vd->tx.chan); + + /* free up stuck descriptor */ + if (vc->vd_terminated) + vchan_vdesc_fini(vc->vd_terminated); + + vc->vd_terminated = vd; + if (vc->cyclic == vd) + vc->cyclic = NULL; +} + /** * vchan_next_desc - peek at the next descriptor to be processed * @vc: virtual channel to obtain descriptor from @@ -182,10 +202,20 @@ static inline void vchan_free_chan_resources(struct virt_dma_chan *vc) * Makes sure that all scheduled or active callbacks have finished running. For * proper operation the caller has to ensure that no new callbacks are scheduled * after the invocation of this function started. + * Free up the terminated cyclic descriptor to prevent memory leakage. */ static inline void vchan_synchronize(struct virt_dma_chan *vc) { + unsigned long flags; + tasklet_kill(&vc->task); + + spin_lock_irqsave(&vc->lock, flags); + if (vc->vd_terminated) { + vchan_vdesc_fini(vc->vd_terminated); + vc->vd_terminated = NULL; + } + spin_unlock_irqrestore(&vc->lock, flags); } #endif