lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 12 Jun 2020 02:20:23 +0000
From:   Robin Gong <yibin.gong@....com>
To:     Krzysztof Kozlowski <krzk@...nel.org>,
        Vinod Koul <vkoul@...nel.org>,
        Dan Williams <dan.j.williams@...el.com>,
        Angelo Dureghello <angelo@...am.it>,
        "dmaengine@...r.kernel.org" <dmaengine@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     Peng Ma <peng.ma@....com>, Fabio Estevam <festevam@...il.com>,
        "stable@...r.kernel.org" <stable@...r.kernel.org>
Subject: RE: [PATCH] dmaengine: mcf-edma: Fix NULL pointer exception in
 mcf_edma_tx_handler

On 2020/06/11 Krzysztof Kozlowski <krzk@...nel.org> wrote:
> On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer
> exception happens occasionally on serial output initiated by login timeout.
> 
> This was reproduced only if kernel was built with significant debugging options
> and EDMA driver is used with serial console.
> 
> Issue looks like a race condition between interrupt handler
> fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and
> terminating the transfer with fsl_edma_terminate_all().
> 
> The fsl_edma_tx_handler() handles interrupt for a transfer with already freed
> edesc and idle==true.
> 
> The mcf-edma driver shares design and lot of code with fsl-edma.  It looks like
> being affected by same problem.  Fix this pattern the same way as fix for
> fsl-edma driver.
> 
> Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma
> support")
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Krzysztof Kozlowski <krzk@...nel.org>
Reviewed-by: Robin Gong <yibin.gong@....com>
> 
> ---
> 
> Not tested on HW.
> ---
>  drivers/dma/mcf-edma.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/drivers/dma/mcf-edma.c b/drivers/dma/mcf-edma.c index
> e15bd15a9ef6..e12b754e6398 100644
> --- a/drivers/dma/mcf-edma.c
> +++ b/drivers/dma/mcf-edma.c
> @@ -35,6 +35,13 @@ static irqreturn_t mcf_edma_tx_handler(int irq, void
> *dev_id)
>  			mcf_chan = &mcf_edma->chans[ch];
> 
>  			spin_lock(&mcf_chan->vchan.lock);
> +
> +			if (!mcf_chan->edesc) {
> +				/* terminate_all called before */
> +				spin_unlock(&mcf_chan->vchan.lock);
> +				continue;
> +			}
> +
>  			if (!mcf_chan->edesc->iscyclic) {
>  				list_del(&mcf_chan->edesc->vdesc.node);
>  				vchan_cookie_complete(&mcf_chan->edesc->vdesc);
> --
> 2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ