From patchwork Wed Aug 3 10:59:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Fabien Lahoudere X-Patchwork-Id: 9261011 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 557B06048B for ; Wed, 3 Aug 2016 10:59:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4684C28304 for ; Wed, 3 Aug 2016 10:59:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 39AC028407; Wed, 3 Aug 2016 10:59:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C5F7328304 for ; Wed, 3 Aug 2016 10:59:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756912AbcHCK7k (ORCPT ); Wed, 3 Aug 2016 06:59:40 -0400 Received: from bhuna.collabora.co.uk ([46.235.227.227]:58549 "EHLO bhuna.collabora.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756191AbcHCK7j (ORCPT ); Wed, 3 Aug 2016 06:59:39 -0400 Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: aragua) with ESMTPSA id 4A6FE2607C5 From: Fabien Lahoudere Cc: Hannu Koivisto , Fabien Lahoudere , Vinod Koul , Dan Williams , dmaengine@vger.kernel.org (open list:DMA GENERIC OFFLOAD ENGINE SUBSYSTEM), linux-kernel@vger.kernel.org (open list) Subject: [PATCH 1/1] Fix NULL pointer dereference in imx serial driver DMA callback Date: Wed, 3 Aug 2016 12:59:26 +0200 Message-Id: <1470221967-19350-1-git-send-email-fabien.lahoudere@collabora.co.uk> X-Mailer: git-send-email 2.7.4 To: unlisted-recipients:; (no To-header on input) Sender: dmaengine-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: dmaengine@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Hannu Koivisto dma_rx_callback() may see NULL dma_chan_rx if DMA interrupt [1] occurs a moment[2] before imx_uart_dma_exit() sets it to NULL. imx_uart_dma_exit() calls dmaengine_terminate_all() and dma_release_channel() but neither of those prevent the callback being called after they have returned. A similar problem has been discussed by ALSA developers (http://mailman.alsa-project.org/pipermail/alsa-devel/2013-October/067239.html) and it was pointed out that dmaengine_terminate_all() might be called from the callback, so we cannot call tasklet_kill() in imx-sdma's code called by dmaengine_terminate_all(). Hopefully it doesn't make sense to call dma_release_channel() from the callback, so instead of adding synchronization to imx serial driver, we add tasklet_kill() call to sdma_free_chan_resources(). While most DMA drivers don't do that, there is one example that does: pl330. [1] It schedules sdma_tasklet, which again calls the dma_rx_callback. [2] I tested this by scheduling the sdma tasklet as far as right before the imx_stop_tx() call in imx_shutdown() and the problem occurred. Signed-off-by: Fabien Lahoudere --- drivers/dma/imx-sdma.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c index 46c9027..da86792 100644 --- a/drivers/dma/imx-sdma.c +++ b/drivers/dma/imx-sdma.c @@ -1135,6 +1135,8 @@ static void sdma_free_chan_resources(struct dma_chan *chan) sdma_disable_channel(chan); + tasklet_kill(&sdmac->tasklet); + if (sdmac->event_id0) sdma_event_disable(sdmac, sdmac->event_id0); if (sdmac->event_id1)