mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 15:15:47 +00:00
Code Issues Releases Wiki Activity
linux-stable/drivers/dma
History
Koba Ko f3dc1b3b47 dmaengine: Fix double increment of client_count in dma_chan_get() 
The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
 test of repeated module load and unload of async_tx on a Dell
 Power Edge R7425 also shows this resulting in a kref underflow
 warning.

[  124.329662] async_tx: api initialized (async)
[  129.000627] async_tx: api initialized (async)
[  130.047839] ------------[ cut here ]------------
[  130.052472] refcount_t: underflow; use-after-free.
[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[  130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[  130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[  130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[  130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[  130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[  130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[  130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[  130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[  130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[  130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[  130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  130.198739] FS:  00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[  130.206832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[  130.219729] Call Trace:
[  130.222192]  <TASK>
[  130.224305]  dma_chan_put+0x10d/0x110
[  130.227988]  dmaengine_put+0x7a/0xa0
[  130.231575]  __do_sys_delete_module.constprop.0+0x178/0x280
[  130.237157]  ? syscall_trace_enter.constprop.0+0x145/0x1d0
[  130.242652]  do_syscall_64+0x5c/0x90
[  130.246240]  ? exc_page_fault+0x62/0x150
[  130.250178]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  130.255243] RIP: 0033:0x7f6463a3f5ab
[  130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[  130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[  130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[  130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[  130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[  130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[  130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[  130.320875]  </TASK>
[  130.323081] ---[ end trace eff7156d56b5cf25 ]---

cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2

Fixes: d2f4f99db3 ("dmaengine: Rework dma_chan_get")
Signed-off-by: Koba Ko <koba.ko@canonical.com>
Reviewed-by: Jie Hai <haijie1@huawei.com>
Test-by: Jie Hai <haijie1@huawei.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Joel Savitz <jsavitz@redhat.com>
Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2023-01-18 17:36:49 +05:30
..
bestcomm treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 2) 2022-06-10 14:51:35 +02:00
dw dmaengine updates for v6.0-rc1 2022-08-04 18:44:38 -07:00
dw-axi-dmac Add exception protection processing for vd in axi_chan_handle_err function 2023-01-18 17:27:30 +05:30
dw-edma dmaengine: dw-edma: Remove runtime PM support 2022-09-29 22:46:08 +05:30
fsl-dpaa2-qdma dmaengine: fsl-dpaa2-qdma: Drop comma after SoC match table sentinel 2022-03-11 15:47:39 +05:30
hsu dmaengine: hsu: Include headers we are direct user of 2022-09-04 22:49:35 +05:30
idxd dmaengine: idxd: Do not call DMX TX callbacks during workqueue disable 2022-12-28 16:24:50 +05:30
ioat dmaengine: ioat: Fix spelling mistake "idel" -> "idle" 2022-10-19 18:56:57 +05:30
ipu
lgm dmaengine: lgm: Move DT parsing after initialization 2023-01-18 15:32:16 +05:30
mediatek dmaengine: mediatek: mtk-hsdma: Fix typo 'the the' in comment 2022-07-26 22:06:05 +05:30
ppc4xx treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_406.RULE 2022-06-10 14:51:37 +02:00
ptdma dmaengine: ptdma: statify pt_tx_status 2022-04-22 11:29:13 +05:30
qcom dmaengine: qcom: gpi: Set link_rx bit on GO TRE for rx operation 2022-12-28 12:26:11 +05:30
sf-pdma dmaengine: sf-pdma:Remove the print function dev_err() 2022-09-05 11:50:38 +05:30
sh dmaengine: sh: Remove unused shdma-arm.h 2022-11-04 20:12:41 +05:30
ti dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG 2022-12-28 16:34:14 +05:30
xilinx dmaengine: xilinx_dma : add xilinx_dma_device_config() return documentation 2022-11-04 19:54:15 +05:30
acpi-dma.c
altera-msgdma.c dmaengine: altera-msgdma: Fixed some inconsistent function name descriptions 2022-07-06 22:00:06 +05:30
amba-pl08x.c dmaengine: pl08x: Fix double word 2022-09-29 12:24:16 +05:30
apple-admac.c Merge branch 'fixes' into next 2022-11-11 12:14:26 +05:30
at_hdmac.c dmaengine: at_hdmac: Convert driver to use virt-dma 2022-11-11 12:15:09 +05:30
at_xdmac.c dmaengine: at_xdmac: Replace two if statements with only one with two conditions 2022-09-05 12:01:55 +05:30
bcm-sba-raid.c treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_30.RULE (part 2) 2022-06-10 14:51:35 +02:00
bcm2835-dma.c
dma-axi-dmac.c dmaengine: axi-dmac: check cache coherency register 2022-07-26 22:05:20 +05:30
dma-jz4780.c dmaengine: JZ4780: Add support for the JZ4755. 2022-10-19 19:13:16 +05:30
dmaengine.c dmaengine: Fix double increment of client_count in dma_chan_get() 2023-01-18 17:36:49 +05:30
dmaengine.h dmaengine: dmaengine_desc_callback_valid(): Check for callback_result 2021-10-25 09:42:56 +05:30
dmatest.c treewide: use get_random_bytes() when possible 2022-10-11 17:42:58 -06:00
ep93xx_dma.c dmaengine: ep93xx: Fix typo in comments 2022-07-01 21:50:23 +05:30
fsl-edma-common.c dmaengine: fsl-edma: remove redundant assignment to pointer last_sg 2022-07-01 22:09:16 +05:30
fsl-edma-common.h dmaengine: fsl-edma: support edma memcpy 2021-10-28 22:56:24 +05:30
fsl-edma.c dmaengine: fsl-edma: support edma memcpy 2021-10-28 22:56:24 +05:30
fsl-qdma.c
fsl_raid.c
fsl_raid.h
fsldma.c
fsldma.h
hisi_dma.c dmaengine: hisilicon: Dump regs to debugfs 2022-09-04 22:42:35 +05:30
idma64.c dmaengine: idma64: Make idma64_remove() return void 2022-10-19 19:17:35 +05:30
idma64.h
img-mdc-dma.c
imx-dma.c dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t) 2022-07-21 18:08:35 +05:30
imx-sdma.c dmaengine updates for v6.0-rc1 2022-08-04 18:44:38 -07:00
k3dma.c
Kconfig dmaengine updates for v6.2 2022-12-19 08:54:17 -06:00
lpc18xx-dmamux.c
Makefile dmaengine: Revert "dmaengine: remove s3c24xx driver" 2022-12-02 17:11:50 +05:30
mcf-edma.c
milbeaut-hdmac.c dmaengine: milbeaut-hdmac: Prefer kcalloc over open coded arithmetic 2021-10-25 12:12:13 +05:30
milbeaut-xdmac.c
mmp_pdma.c dmaengine: mmp: deprecate '#dma-channels' 2022-05-19 22:53:46 +05:30
mmp_tdma.c
moxart-dma.c treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 2) 2022-06-10 14:51:35 +02:00
mpc512x_dma.c
mv_xor.c
mv_xor.h
mv_xor_v2.c dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() 2022-11-08 10:43:56 +05:30
mxs-dma.c dmaengine: mxs: use platform_driver_register 2022-09-29 12:05:20 +05:30
nbpfaxi.c dmaengine: nbpfaxi: Use platform_get_irq_optional() to get the interrupt 2022-04-11 16:26:53 +05:30
of-dma.c
owl-dma.c dmaengine: owl: fix typo in comment 2022-07-06 10:50:43 +05:30
pch_dma.c dmaengine: pch_dma: Remove usage of the deprecated "pci-dma-compat.h" API 2022-01-08 22:16:44 +05:30
pl330.c dmaengine: pl330: Remove unused flags 2022-09-05 12:01:54 +05:30
plx_dma.c dmaengine: plx_dma: Move spin_lock_bh() to spin_lock() 2022-04-20 15:59:33 +05:30
pxa_dma.c dmaengine: pxa_dma: use platform_get_irq_optional 2022-11-08 10:42:51 +05:30
s3c24xx-dma.c dmaengine: Revert "dmaengine: remove s3c24xx driver" 2022-12-02 17:11:50 +05:30
sa11x0-dma.c dmaengine: sa11x0: Mark PM functions as __maybe_unused 2021-10-26 10:55:07 +05:30
sprd-dma.c dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed 2022-07-26 18:20:49 +05:30
st_fdma.c dmaengine: st_fdma: fix MODULE_ALIAS 2021-12-13 13:18:48 +05:30
st_fdma.h
ste_dma40.c dmaengine: ste_dma40: fix typo in comment 2022-07-06 10:54:08 +05:30
ste_dma40_ll.c
ste_dma40_ll.h
stm32-dma.c dmaengine: stm32-dma: fix potential race between pause and resume 2022-11-08 10:43:56 +05:30
stm32-dmamux.c dmaengine: stm32-dmamux: Simplify code and save a few bytes of memory 2022-09-05 11:52:28 +05:30
stm32-mdma.c dmaengine: stm32-mdma: memset stm32_mdma_chan_config struct before using it 2022-10-19 19:01:19 +05:30
sun4i-dma.c dmaengine: sun4i: Set the maximum segment size 2022-07-05 18:34:26 +05:30
sun6i-dma.c dmaengine: sun6i: Add support for the D1 variant 2022-05-19 23:43:41 +05:30
tegra20-apb-dma.c dmaengine: tegra20-apb: stop checking config->slave_id 2021-12-17 11:23:38 +05:30
tegra186-gpc-dma.c dmaengine: tegra: Add support for dma-channel-mask 2022-11-14 04:01:12 +05:30
tegra210-adma.c dmaengine: tegra210-adma: fix global intr clear 2023-01-18 17:34:36 +05:30
timb_dma.c
TODO
txx9dmac.c
txx9dmac.h
uniphier-mdmac.c
uniphier-xdmac.c dmaengine: uniphier-xdmac: Fix type of address variables 2022-01-03 17:49:37 +05:30
virt-dma.c
virt-dma.h
xgene-dma.c