From patchwork Mon Sep 12 12:50:55 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Arkver X-Patchwork-Id: 9326379 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id C56A96077F for ; Mon, 12 Sep 2016 12:52:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B7AB628D8D for ; Mon, 12 Sep 2016 12:52:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id ACBEC28D8F; Mon, 12 Sep 2016 12:52:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_MED, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 14E8428D8D for ; Mon, 12 Sep 2016 12:52:43 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.85_2 #1 (Red Hat Linux)) id 1bjQhn-0007Ze-Ux; Mon, 12 Sep 2016 12:51:23 +0000 Received: from mail-wm0-x244.google.com ([2a00:1450:400c:c09::244]) by bombadil.infradead.org with esmtps (Exim 4.85_2 #1 (Red Hat Linux)) id 1bjQhj-0007QN-65 for linux-arm-kernel@lists.infradead.org; Mon, 12 Sep 2016 12:51:20 +0000 Received: by mail-wm0-x244.google.com with SMTP id b187so13453868wme.0 for ; Mon, 12 Sep 2016 05:50:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:cc:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=FWU8T3EIyLJSSvybc5T49kbLf3X7Cd2SslVanMClNTw=; b=DJ1hsBjswTfaKwD5FIWurUREArzSUaS2pbMgOc/worXnpy2OOapzhBDu7o+cF+iYG5 /D1DtHWjsUB6iVTHgn/GAn25hM6yMV9zdiVkzB8/22pkw3D1GeTJ3SpDoCLDBcMS/mu2 vcIndCZh32SMFJROkCzIYHTEBJOIhEYDR4ZGqFnltHhE1oDyBNT6B0EmXxm1C+kOSjWH rC48tHaVVrKnKuVVq70bEtjnCWP8CWb4bBJvLBJAzvvIsiR9V7fWGeWxitgkhyf3AKN9 FeN6LAaNsAvlSSJMkepjO+/Uzno/QXenhFhDNIx/E1xL2R2e/e0NCAXBUR+f2dWZalor 6vGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:cc:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=FWU8T3EIyLJSSvybc5T49kbLf3X7Cd2SslVanMClNTw=; b=Gp4wSM8OpW89c/zhfoK7QtHUp/en/RedUUUb779a5NobPhfAdrF1bdDZrqG8MNHZbX vDmTIMlzG98elZx5yLG8B13Tx77BqGmty6fSRBV1UAeDhiYbTMjuYtIMjwemoyhBFzPX qoemozujFVYAsWzsTSo3uTHQyF0NeyDw4KzNVvC/Jeod4q/1aqGDDz7O5+coVAVIismw rEODjfeE7SIhNfB+jLuohcpIFU2CK0Uy7QjDAAeuhhE7uwNqOiVAIilCaSiVMdD3ew25 IsoTPZ45o1ODeAbjzb6KYROSye7TGbIbOzw73WR8IBY8bOBf7gK5p34FfuKn5OZ3DX7W XsZw== X-Gm-Message-State: AE9vXwOLe1odfUcqEQuQh2LPzzZR1XcL8Ojuu+asrffVzHu2hduzzF1xAMR5Uq2gYMwUUg== X-Received: by 10.194.202.133 with SMTP id ki5mr17788477wjc.45.1473684656910; Mon, 12 Sep 2016 05:50:56 -0700 (PDT) Received: from [192.168.19.16] (host86-131-204-18.range86-131.btcentralplus.com. [86.131.204.18]) by smtp.googlemail.com with ESMTPSA id kk6sm17766607wjb.44.2016.09.12.05.50.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Sep 2016 05:50:56 -0700 (PDT) To: linux-arm-kernel@lists.infradead.org From: Ian Arkver Subject: [PATCH] arm: imx-dma: Don't change desc pointer before calling callback Message-ID: Date: Mon, 12 Sep 2016 13:50:55 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160912_055119_474689_EB0A5FB7 X-CRM114-Status: GOOD ( 16.93 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Vinod Koul , Sascha Hauer , Michael Grzeschik , Javier Martin Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP This commit... fcaaba6 dmaengine: imx-dma: fix callback path in tasklet moved the test and call of the DMA completion callback function into the tasklet exit path which is after the manipulation of ld_queue and ld_active. This manipulation changes the desc pointer and can result in the wrong descriptor being checked for the callback function. One fix is to use a temporary variable to do the queue update. Signed-off-by: Ian Jamison --- I found the bug and tested this patch on kernel 3.10.103 which has the original patch backported. It was found using m2m_deinterlacer which issues several DMAs with a callback on the last one. When the callback is called early there is a race between the v4l2 framework returning the buffers which invalidates the buffer pointers and the next DMA completion. This resulted in intermittent NULL pointer dereferences. I believe the fix is relevant to current mainline kernel as this code fragment has not changed. drivers/dma/imx-dma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) xfer desc\n", __func__, imxdmac->channel); } -- 2.9.3 diff --git a/drivers/dma/imx-dma.c b/drivers/dma/imx-dma.c index a960608..335c2d0 100644 --- a/drivers/dma/imx-dma.c +++ b/drivers/dma/imx-dma.c @@ -653,10 +653,10 @@ static void imxdma_tasklet(unsigned long data) list_move_tail(imxdmac->ld_active.next, &imxdmac->ld_free); if (!list_empty(&imxdmac->ld_queue)) { - desc = list_first_entry(&imxdmac->ld_queue, struct imxdma_desc, - node); + struct imxdma_desc *tmpdesc = list_first_entry( + &imxdmac->ld_queue, struct imxdma_desc, node); list_move_tail(imxdmac->ld_queue.next, &imxdmac->ld_active); - if (imxdma_xfer_desc(desc) < 0) + if (imxdma_xfer_desc(tmpdesc) < 0) dev_warn(imxdma->dev, "%s: channel: %d couldn't