Re: [PATCH 3/3] dmaengine: rcar-dmac: wait for ISR to finish before freeing resources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Geert,

On 2017-03-29 15:30:42 +0200, Niklas Söderlund wrote:
> Hi Geert,
> 
> On 2017-03-29 14:31:33 +0200, Geert Uytterhoeven wrote:
> > Hi Niklas,
> > 
> > On Wed, Mar 29, 2017 at 12:40 AM, Niklas Söderlund
> > <niklas.soderlund+renesas@xxxxxxxxxxxx> wrote:
> > > This fixes a race condition where the channel resources could be freed
> > > before the ISR had finished running resulting in a NULL pointer
> > > reference from the ISR.
> > >
> > > [  167.148934] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> > > [  167.157051] pgd = ffff80003c641000
> > > [  167.160449] [00000000] *pgd=000000007c507003, *pud=000000007c4ff003, *pmd=0000000000000000
> > > [  167.168719] Internal error: Oops: 96000046 [#1] PREEMPT SMP
> > > [  167.174289] Modules linked in:
> > > [  167.177348] CPU: 3 PID: 10547 Comm: dma_ioctl Not tainted 4.11.0-rc1-00001-g8d92afddc2f6633a #73
> > > [  167.186131] Hardware name: Renesas Salvator-X board based on r8a7795 (DT)
> > > [  167.192917] task: ffff80003a411a00 task.stack: ffff80003bcd4000
> > > [  167.198850] PC is at rcar_dmac_chan_prep_sg+0xe0/0x400
> > > [  167.203985] LR is at rcar_dmac_chan_prep_sg+0x48/0x400
> > 
> > Do you have a test case to trigger this?
> 
> Yes I have a testcase, it's rather complex and involves both a kernel 
> module and a userspaces application to stress the rcar-dmac. I'm 
> checking if I can share this publicly or not, please hold :-)

I have now received feedback that I'm unfortunately not allowed to share 
the test case :-(

The big picture in how to trigger this problem is that you start a DMA 
transfer like this:

struct dma_async_tx_descriptor *tx = ...;

...

tx->tx_submit(tx);

And then you directly call dma_release_channel() on this channel without 
making sure the completion callback ran or anything. Now if you are 
unlucky the ISR have not finished running for the DMA when 
dma_release_channel() starts to clean up resources. The synchronisation 
point in the dma_release_channel() call path fixes this.

> 
> > 
> > Thanks!
> > 
> > Gr{oetje,eeting}s,
> > 
> >                         Geert
> > 
> > --
> > Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx
> > 
> > In personal conversations with technical people, I call myself a hacker. But
> > when I'm talking to journalists I just say "programmer" or something like that.
> >                                 -- Linus Torvalds
> 
> -- 
> Regards,
> Niklas Söderlund

-- 
Regards,
Niklas Söderlund
[Index of Archives]     [Linux Samsung SOC]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux