lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1471611828-15548-1-git-send-email-hychao@chromium.org>
Date:   Fri, 19 Aug 2016 21:03:48 +0800
From:   Hsin-Yu Chao <hychao@...omium.org>
To:     unlisted-recipients:; (no To-header on input)
Cc:     Hsin-Yu Chao <hychao@...omium.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Vinod Koul <vinod.koul@...el.com>,
        dmaengine@...r.kernel.org (open list:DMA GENERIC OFFLOAD ENGINE
        SUBSYSTEM), linux-kernel@...r.kernel.org (open list)
Subject: [PATCH] dmaengine: pl330: use lock of dma channel in pl330_update

The content of pl330_thread could be modified in pl330_update
without protection by the lock from the dma channel who currently
holding this thread. This could cause bug to the calculation of
in pl330_tx_status, if the running request has just been done and
moving to next request while calculating the residual number, an
invalid number from BUSY descriptor could be added up.
---
 drivers/dma/pl330.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index 31e9c49..2449cb7 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -1564,6 +1564,19 @@ static void pl330_dotask(unsigned long data)
 	return;
 }
 
+static struct dma_pl330_chan *get_dma_channel(struct pl330_dmac *pl330,
+					      struct pl330_thread *thrd)
+{
+	struct dma_pl330_chan *pch;
+	int i;
+	for (i = 0; i < pl330->num_peripherals; i++) {
+		pch = &pl330->peripherals[i];
+		if (pch && pch->thread == thrd)
+			return pch;
+	}
+	return NULL;
+}
+
 /* Returns 1 if state was updated, 0 otherwise */
 static int pl330_update(struct pl330_dmac *pl330)
 {
@@ -1613,6 +1626,7 @@ static int pl330_update(struct pl330_dmac *pl330)
 	for (ev = 0; ev < pl330->pcfg.num_events; ev++) {
 		if (val & (1 << ev)) { /* Event occurred */
 			struct pl330_thread *thrd;
+			struct dma_pl330_chan *pch;
 			u32 inten = readl(regs + INTEN);
 			int active;
 
@@ -1625,6 +1639,9 @@ static int pl330_update(struct pl330_dmac *pl330)
 			id = pl330->events[ev];
 
 			thrd = &pl330->channels[id];
+			pch = get_dma_channel(pl330, thrd);
+			if (pch)
+				spin_lock_irqsave(&pch->lock, flags);
 
 			active = thrd->req_running;
 			if (active == -1) /* Aborted */
@@ -1638,6 +1655,8 @@ static int pl330_update(struct pl330_dmac *pl330)
 
 			/* Get going again ASAP */
 			_start(thrd);
+			if (pch)
+				spin_unlock_irqrestore(&pch->lock, flags);
 
 			/* For now, just make a list of callbacks to be done */
 			list_add_tail(&descdone->rqd, &pl330->req_done);
-- 
2.6.6

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ