lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 27 Apr 2019 16:13:09 +0100
From:   Ben Hutchings <>
CC:, Denis Kirjanov <>,
        "Stefan Wahren" <>,
        "Lukas Wunner" <>, "Vinod Koul" <>,
        "Florian Kauer" <>,
        "Florian Meier" <>,
        "Matthias Reichl" <>,
        "Clive Messer" <>,
        "Frank Pavlic" <>,
        "Martin Sperl" <>
Subject: [PATCH 3.16 089/202] dmaengine: bcm2835: Fix abort of transactions

3.16.66-rc1 review patch.  If anyone has any objections, please let me know.


From: Lukas Wunner <>

commit 9e528c799d17a4ac37d788c81440b50377dd592d upstream.

There are multiple issues with bcm2835_dma_abort() (which is called on
termination of a transaction):

* The algorithm to abort the transaction first pauses the channel by
  clearing the ACTIVE flag in the CS register, then waits for the PAUSED
  flag to clear.  Page 49 of the spec documents the latter as follows:

  "Indicates if the DMA is currently paused and not transferring data.
   This will occur if the active bit has been cleared [...]"

  So the function is entering an infinite loop because it is waiting for
  PAUSED to clear which is always set due to the function having cleared
  the ACTIVE flag.  The only thing that's saving it from itself is the
  upper bound of 10000 loop iterations.

  The code comment says that the intention is to "wait for any current
  AXI transfer to complete", so the author probably wanted to check the
  WAITING_FOR_OUTSTANDING_WRITES flag instead.  Amend the function

* The CS register is only read at the beginning of the function.  It
  needs to be read again after pausing the channel and before checking
  for outstanding writes, otherwise writes which were issued between
  the register read at the beginning of the function and pausing the
  channel may not be waited for.

* The function seeks to abort the transfer by writing 0 to the NEXTCONBK
  register and setting the ABORT and ACTIVE flags.  Thereby, the 0 in
  NEXTCONBK is sought to be loaded into the CONBLK_AD register.  However
  experimentation has shown this approach to not work:  The CONBLK_AD
  register remains the same as before and the CS register contains
  0x00000030 (PAUSED | DREQ_STOPS_DMA).  In other words, the control
  block is not aborted but merely paused and it will be resumed once the
  next DMA transaction is started.  That is absolutely not the desired

  A simpler approach is to set the channel's RESET flag instead.  This
  reliably zeroes the NEXTCONBK as well as the CS register.  It requires
  less code and only a single MMIO write.  This is also what popular
  user space DMA drivers do, e.g.:

  Note that the spec is contradictory whether the NEXTCONBK register
  is writeable at all.  On the one hand, page 41 claims:

  "The value loaded into the NEXTCONBK register can be overwritten so
  that the linked list of Control Block data structures can be
  dynamically altered. However it is only safe to do this when the DMA
  is paused."

  On the other hand, page 40 specifies:

  "Only three registers in each channel's register set are directly
  writeable (CS, CONBLK_AD and DEBUG). The other registers (TI,
  loaded from a Control Block data structure held in external memory."

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <>
Cc: Frank Pavlic <>
Cc: Martin Sperl <>
Cc: Florian Meier <>
Cc: Clive Messer <>
Cc: Matthias Reichl <>
Tested-by: Stefan Wahren <>
Acked-by: Florian Kauer <>
Signed-off-by: Vinod Koul <>
Signed-off-by: Ben Hutchings <>
 drivers/dma/bcm2835-dma.c | 41 +++++++++------------------------------
 1 file changed, 9 insertions(+), 32 deletions(-)

--- a/drivers/dma/bcm2835-dma.c
+++ b/drivers/dma/bcm2835-dma.c
@@ -191,13 +191,11 @@ static void bcm2835_dma_desc_free(struct
-static int bcm2835_dma_abort(void __iomem *chan_base)
+static int bcm2835_dma_abort(struct bcm2835_chan *c)
-	unsigned long cs;
+	void __iomem *chan_base = c->chan_base;
 	long int timeout = 10000;
-	cs = readl(chan_base + BCM2835_DMA_CS);
 	 * A zero control block address means the channel is idle.
 	 * (The ACTIVE flag in the CS register is not a reliable indicator.)
@@ -209,25 +207,16 @@ static int bcm2835_dma_abort(void __iome
 	writel(0, chan_base + BCM2835_DMA_CS);
 	/* Wait for any current AXI transfer to complete */
-	while ((cs & BCM2835_DMA_ISPAUSED) && --timeout) {
+	while ((readl(chan_base + BCM2835_DMA_CS) &
+		BCM2835_DMA_WAITING_FOR_WRITES) && --timeout)
-		cs = readl(chan_base + BCM2835_DMA_CS);
-	}
-	/* We'll un-pause when we set of our next DMA */
+	/* Peripheral might be stuck and fail to signal AXI write responses */
 	if (!timeout)
-		return -ETIMEDOUT;
-	if (!(cs & BCM2835_DMA_ACTIVE))
-		return 0;
-	/* Terminate the control block chain */
-	writel(0, chan_base + BCM2835_DMA_NEXTCB);
-	/* Abort the whole DMA */
-	writel(BCM2835_DMA_ABORT | BCM2835_DMA_ACTIVE,
-	       chan_base + BCM2835_DMA_CS);
+		dev_err(c->vc.chan.device->dev,
+			"failed to complete outstanding writes\n");
+	writel(BCM2835_DMA_RESET, chan_base + BCM2835_DMA_CS);
 	return 0;
@@ -506,7 +495,6 @@ static int bcm2835_dma_terminate_all(str
 	struct bcm2835_dmadev *d = to_bcm2835_dma_dev(c->vc.chan.device);
 	unsigned long flags;
-	int timeout = 10000;
 	spin_lock_irqsave(&c->vc.lock, flags);
@@ -519,18 +507,7 @@ static int bcm2835_dma_terminate_all(str
 	/* stop DMA activity */
 	if (c->desc) {
 		c->desc = NULL;
-		bcm2835_dma_abort(c->chan_base);
-		/* Wait for stopping */
-		while (--timeout) {
-			if (!readl(c->chan_base + BCM2835_DMA_ADDR))
-				break;
-			cpu_relax();
-		}
-		if (!timeout)
-			dev_err(d->, "DMA transfer could not be terminated\n");
+		bcm2835_dma_abort(c);
 	vchan_get_all_descriptors(&c->vc, &head);

Powered by blists - more mailing lists