lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 20 Aug 2022 15:57:00 +0300
From:   Tudor Ambarus <tudor.ambarus@...rochip.com>
To:     <vkoul@...nel.org>, <peda@...ntia.se>, <du@...ntia.se>,
        <regressions@...mhuis.info>
CC:     <ludovic.desroches@...rochip.com>, <maciej.sosnowski@...el.com>,
        <tudor.ambarus@...rochip.com>, <dan.j.williams@...el.com>,
        <nicolas.ferre@...rochip.com>, <mripard@...nel.org>,
        <torfl6749@...il.com>, <linux-kernel@...r.kernel.org>,
        <dmaengine@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>, <stable@...r.kernel.org>
Subject: [PATCH 16/33] dmaengine: at_hdmac: Fix concurrency over the active list

The tasklet did not held the channel lock when retrieving the first active
descriptor, causing concurrency problems if issue_pending() was called in
between. If issue_pending() was called exactly after the lock was released
in the tasklet, atc_chain_complete() could complete a descriptor for which
the controller has not yet raised an interrupt.

Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
Reported-by: Peter Rosin <peda@...ntia.se>
Cc: stable@...r.kernel.org
Signed-off-by: Tudor Ambarus <tudor.ambarus@...rochip.com>
Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
---
 drivers/dma/at_hdmac.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
index c2b3d7b63920..635c3be74399 100644
--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -897,8 +897,6 @@ atc_chain_complete(struct at_dma_chan *atchan, struct at_desc *desc)
 	if (!atc_chan_is_cyclic(atchan))
 		dma_cookie_complete(txd);
 
-	/* Remove transfer node from the active list. */
-	list_del_init(&desc->desc_node);
 	spin_unlock_irqrestore(&atchan->lock, flags);
 
 	dma_descriptor_unmap(txd);
@@ -930,6 +928,7 @@ atc_chain_complete(struct at_dma_chan *atchan, struct at_desc *desc)
  */
 static void atc_advance_work(struct at_dma_chan *atchan)
 {
+	struct at_desc *desc;
 	unsigned long flags;
 
 	dev_vdbg(chan2dev(&atchan->dma_chan), "advance_work\n");
@@ -937,9 +936,12 @@ static void atc_advance_work(struct at_dma_chan *atchan)
 	spin_lock_irqsave(&atchan->lock, flags);
 	if (atc_chan_is_enabled(atchan) || list_empty(&atchan->active_list))
 		return spin_unlock_irqrestore(&atchan->lock, flags);
-	spin_unlock_irqrestore(&atchan->lock, flags);
 
-	atc_chain_complete(atchan, atc_first_active(atchan));
+	desc = atc_first_active(atchan);
+	/* Remove the transfer node from the active list. */
+	list_del_init(&desc->desc_node);
+	spin_unlock_irqrestore(&atchan->lock, flags);
+	atc_chain_complete(atchan, desc);
 
 	/* advance work */
 	spin_lock_irqsave(&atchan->lock, flags);
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ