linux-kernel - [PATCH] dmaengine: release channels on device unregister

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date:   Mon, 28 Feb 2022 05:27:41 +0200
From:   Dāvis Mosāns <davispuh@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     Vinod Koul <vkoul@...nel.org>, dmaengine@...r.kernel.org,
        Dāvis Mosāns <davispuh@...il.com>
Subject: [PATCH] dmaengine: release channels on device unregister

Currently if dma_async_device_unregister is invoked while some clients
still hold a reference to some channels it would prevent device to be released
which would leave dangling pointers inside dma_device_list and cause crashes
in methods that tries to use it

Fix it by force releasing channels which will allow device to be also released

BUG: kernel NULL pointer dereference, address: 0000000000000000
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
RIP: 0010:dma_issue_pending_all (drivers/dma/dmaengine.c:562)
All code
========
   0:   45 20 49 8d             and    %r9b,-0x73(%r9)
   4:   55                      push   %rbp
   5:   20 4c 89 ed             and    %cl,-0x13(%rcx,%rcx,4)
   9:   48 83 e8 20             sub    $0x20,%rax
   d:   48 81 fa e0 7a 18 b2    cmp    $0xffffffffb2187ae0,%rdx
  14:   74 52                   je     0x68
  16:   49 89 c5                mov    %rax,%r13
  19:   48 8b 45 48             mov    0x48(%rbp),%rax
  1d:   f6 c4 02                test   $0x2,%ah
  20:   75 dc                   jne    0xfffffffffffffffe
  22:   48 8b 45 10             mov    0x10(%rbp),%rax
  26:   4c 8d 65 10             lea    0x10(%rbp),%r12
  2a:*  48 8b 08                mov    (%rax),%rcx              <-- trapping instruction
  2d:   48 8d 78 c8             lea    -0x38(%rax),%rdi
  31:   48 8d 59 c8             lea    -0x38(%rcx),%rbx
  35:   49 39 c4                cmp    %rax,%r12
  38:   75 05                   jne    0x3f
  3a:   eb c2                   jmp    0xfffffffffffffffe
  3c:   48 89 c3                mov    %rax,%rbx
  3f:   8b                      .byte 0x8b

RSP: 0018:ffff987e44a9fde0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8bdc410e6e00 RCX: 0000000000000000
RDX: ffff8bdc41700e48 RSI: ffffffffb090de19 RDI: ffff8bdc410e6e00
RBP: ffff8bdc41700e28 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8bdc41700e38
R13: ffffffffffffffe0 R14: ffff8bdc4b3e5000 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8be39b380000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000018e1b6000 CR4: 00000000003506e0
Call Trace:
 <TASK>
raid5d (drivers/md/raid5.c:6563) raid456
? rcu_read_lock_sched_held (kernel/rcu/update.c:104 kernel/rcu/update.c:123)
md_thread (drivers/md/md.c:7923) md_mod
? do_wait_intr (kernel/sched/wait.c:415)
? rdev_read_only.isra.0 (drivers/md/md.c:7887) md_mod
kthread (kernel/kthread.c:377)
? kthread_complete_and_exit (kernel/kthread.c:332)
ret_from_fork (arch/x86/entry/entry_64.S:301)
 </TASK>

Signed-off-by: Dāvis Mosāns <davispuh@...il.com>
---
 drivers/dma/dmaengine.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
index 2cfa8458b51be..92d4d0522694c 100644
--- a/drivers/dma/dmaengine.c
+++ b/drivers/dma/dmaengine.c
@@ -1112,6 +1112,9 @@ static void __dma_async_device_channel_unregister(struct dma_device *device,
 	mutex_lock(&dma_list_mutex);
 	device->chancnt--;
 	chan->dev->chan = NULL;
+	while (chan->client_count) {
+		dma_chan_put(chan);
+	}
 	mutex_unlock(&dma_list_mutex);
 	mutex_lock(&device->chan_mutex);
 	ida_free(&device->chan_ida, chan->chan_id);
-- 
2.35.1