XOR/mint0x33
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
mint0x33/drivers/dma
History
Koba Ko 1b409e14b4 dmaengine: Fix double increment of client_count in dma_chan_get() 
[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ]

The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
 test of repeated module load and unload of async_tx on a Dell
 Power Edge R7425 also shows this resulting in a kref underflow
 warning.

[  124.329662] async_tx: api initialized (async)
[  129.000627] async_tx: api initialized (async)
[  130.047839] ------------[ cut here ]------------
[  130.052472] refcount_t: underflow; use-after-free.
[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[  130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[  130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[  130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[  130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[  130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[  130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[  130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[  130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[  130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[  130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[  130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  130.198739] FS:  00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[  130.206832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[  130.219729] Call Trace:
[  130.222192]  <TASK>
[  130.224305]  dma_chan_put+0x10d/0x110
[  130.227988]  dmaengine_put+0x7a/0xa0
[  130.231575]  __do_sys_delete_module.constprop.0+0x178/0x280
[  130.237157]  ? syscall_trace_enter.constprop.0+0x145/0x1d0
[  130.242652]  do_syscall_64+0x5c/0x90
[  130.246240]  ? exc_page_fault+0x62/0x150
[  130.250178]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  130.255243] RIP: 0033:0x7f6463a3f5ab
[  130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[  130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[  130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[  130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[  130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[  130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[  130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[  130.320875]  </TASK>
[  130.323081] ---[ end trace eff7156d56b5cf25 ]---

cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2

Fixes: d2f4f99db3 ("dmaengine: Rework dma_chan_get")
Signed-off-by: Koba Ko <koba.ko@canonical.com>
Reviewed-by: Jie Hai <haijie1@huawei.com>
Test-by: Jie Hai <haijie1@huawei.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Joel Savitz <jsavitz@redhat.com>
Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-06 07:46:30 +01:00
..
bestcomm
dw dmaengine: dw: Make it dependent to HAS_IOMEM 2021-04-28 12:08:39 +02:00
hsu dmaengine: hsu: disable spurious interrupt 2021-03-03 18:22:45 +01:00
ioat dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() 2022-10-26 13:17:06 +02:00
ipu
ppc4xx
qcom dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM 2021-06-30 08:48:48 -04:00
sh dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error" 2022-04-20 09:08:30 +02:00
xilinx dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure 2022-10-26 13:16:51 +02:00
acpi-dma.c dmaengine: acpi: Avoid comparison GSI with Linux vIRQ 2021-09-26 13:37:28 +02:00
altera-msgdma.c
amba-pl08x.c
at_hdmac.c dmaengine: at_hdmac: Check return code of dma_async_device_register 2022-11-25 17:36:48 +01:00
at_hdmac_regs.h dmaengine: at_hdmac: Fix at_lli struct definition 2022-11-25 17:36:47 +01:00
at_xdmac.c dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly 2022-07-12 16:27:29 +02:00
bcm-sba-raid.c
bcm2835-dma.c
coh901318.c dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() 2020-03-11 18:03:08 +01:00
coh901318.h
coh901318_lli.c
cppi41.c
dma-axi-dmac.c dmaengine: axi-dmac: Don't check the number of frames for alignment 2020-01-27 14:46:30 +01:00
dma-jz4740.c
dma-jz4780.c dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status 2020-11-05 11:07:01 +01:00
dmaengine.c dmaengine: Fix double increment of client_count in dma_chan_get() 2023-02-06 07:46:30 +01:00
dmaengine.h dmaengine: dmaengine_desc_callback_valid(): Check for callback_result 2021-11-26 11:40:35 +01:00
dmatest.c dmaengine: dmatest: Fix iteration non-stop logic 2020-05-05 19:15:53 +02:00
edma.c dmaengine: ti: edma: fix missed failure handling 2020-01-27 14:46:52 +01:00
ep93xx_dma.c
fsl-edma.c dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler 2020-07-22 09:22:28 +02:00
fsl_raid.c
fsl_raid.h
fsldma.c dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function 2021-03-03 18:22:45 +01:00
fsldma.h
idma64.c
idma64.h
img-mdc-dma.c
imx-dma.c
imx-sdma.c dmaengine: imx-sdma: Fix error checking in sdma_event_remap 2022-04-27 13:15:29 +02:00
iop-adma.c
k3dma.c
Kconfig dmaengine: ioat: depends on !UML 2021-09-26 13:37:29 +02:00
lpc18xx-dmamux.c
Makefile
mic_x100_dma.c
mic_x100_dma.h
mmp_pdma.c dmaengine: pxa/mmp: stop referencing config->slave_id 2022-01-27 09:00:52 +01:00
mmp_tdma.c dmaengine: mmp_tdma: Reset channel error on release 2020-05-20 08:17:06 +02:00
moxart-dma.c
mpc512x_dma.c
mv_xor.c dmaengine: mv_xor: Use correct device for DMA API 2020-01-27 14:46:20 +01:00
mv_xor.h
mv_xor_v2.c dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() 2022-11-25 17:36:46 +01:00
mxs-dma.c
nbpfaxi.c
of-dma.c dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available 2021-08-26 08:37:07 -04:00
omap-dma.c
pch_dma.c dmaengine: pch_dma.c: Avoid data race between probe and irq handler 2020-05-20 08:17:06 +02:00
pl330.c dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc 2021-06-30 08:48:54 -04:00
pxa_dma.c dmaengine: pxa/mmp: stop referencing config->slave_id 2022-01-27 09:00:52 +01:00
s3c24xx-dma.c
sa11x0-dma.c
sirf-dma.c
st_fdma.c dmaengine: st_fdma: fix MODULE_ALIAS 2021-12-22 09:17:59 +01:00
st_fdma.h
ste_dma40.c dmaengine: stedma40: add missing iounmap() on error in d40_probe() 2021-06-30 08:48:48 -04:00
ste_dma40_ll.c
ste_dma40_ll.h
stm32-dma.c
sun4i-dma.c
sun6i-dma.c
tegra20-apb-dma.c dmaengine: tegra-apb: Prevent race conditions on channel's freeing 2020-10-01 13:12:35 +02:00
tegra210-adma.c dmaengine: tegra210-adma: Fix runtime PM imbalance on error 2020-07-29 07:42:55 +02:00
ti-dma-crossbar.c dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate 2022-07-12 16:27:29 +02:00
timb_dma.c
TODO
txx9dmac.c
txx9dmac.h
virt-dma.c
virt-dma.h
xgene-dma.c
zx_dma.c