diff mbox series

[1/7] dmaengine: sprd: Fix the possible crash when getting engine status

Message ID 2eecd528e85377f03e6fbc5e7d6544b9c9f59cb1.1555330115.git.baolin.wang@linaro.org (mailing list archive)
State Changes Requested
Headers show
Series Fix some bugs and add new feature for Spreadtrum DMA engine | expand

Commit Message

(Exiting) Baolin Wang April 15, 2019, 12:14 p.m. UTC
We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
has been submitted, that will crash the kernel when getting the engine status.

In this case, since the descriptor has been submitted, which means the pointer
'schan->cur_desc' will point to the current descriptor, then we can use
'schan->cur_desc' to get the engine status to avoid this issue.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
---
 drivers/dma/sprd-dma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Vinod Koul April 29, 2019, 11:35 a.m. UTC | #1
On 15-04-19, 20:14, Baolin Wang wrote:
> We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
> has been submitted, that will crash the kernel when getting the engine status.

No that is wrong, status is for descriptor and not engine!

> In this case, since the descriptor has been submitted, which means the pointer
> 'schan->cur_desc' will point to the current descriptor, then we can use
> 'schan->cur_desc' to get the engine status to avoid this issue.

Nope, since the descriptor is completed, you return with residue as 0
and DMA_COMPLETE status!

> 
> Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
> ---
>  drivers/dma/sprd-dma.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
> index 48431e2..e29342a 100644
> --- a/drivers/dma/sprd-dma.c
> +++ b/drivers/dma/sprd-dma.c
> @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,
>  		else
>  			pos = 0;
>  	} else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {
> -		struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);
> +		struct sprd_dma_desc *sdesc = schan->cur_desc;
>  
>  		if (sdesc->dir == DMA_DEV_TO_MEM)
>  			pos = sprd_dma_get_dst_addr(schan);
> -- 
> 1.7.9.5
(Exiting) Baolin Wang April 29, 2019, 11:49 a.m. UTC | #2
Hi Vinod,

On Mon, 29 Apr 2019 at 19:36, Vinod Koul <vkoul@kernel.org> wrote:
>
> On 15-04-19, 20:14, Baolin Wang wrote:
> > We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
> > has been submitted, that will crash the kernel when getting the engine status.
>
> No that is wrong, status is for descriptor and not engine!

Sure, will fix the commit message.

>
> > In this case, since the descriptor has been submitted, which means the pointer
> > 'schan->cur_desc' will point to the current descriptor, then we can use
> > 'schan->cur_desc' to get the engine status to avoid this issue.
>
> Nope, since the descriptor is completed, you return with residue as 0
> and DMA_COMPLETE status!

No, the descriptor is not completed now. If it is completed, we will
return 0 with DMA_COMPLETE status. But now the descriptor is on
progress, we should get the descriptor to return current residue.
Sorry for confusing description.

>
> >
> > Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
> > ---
> >  drivers/dma/sprd-dma.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
> > index 48431e2..e29342a 100644
> > --- a/drivers/dma/sprd-dma.c
> > +++ b/drivers/dma/sprd-dma.c
> > @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,
> >               else
> >                       pos = 0;
> >       } else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {
> > -             struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);
> > +             struct sprd_dma_desc *sdesc = schan->cur_desc;
> >
> >               if (sdesc->dir == DMA_DEV_TO_MEM)
> >                       pos = sprd_dma_get_dst_addr(schan);
> > --
> > 1.7.9.5
>
> --
> ~Vinod
Vinod Koul April 29, 2019, 12:02 p.m. UTC | #3
On 29-04-19, 19:49, Baolin Wang wrote:
> Hi Vinod,
> 
> On Mon, 29 Apr 2019 at 19:36, Vinod Koul <vkoul@kernel.org> wrote:
> >
> > On 15-04-19, 20:14, Baolin Wang wrote:
> > > We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
> > > has been submitted, that will crash the kernel when getting the engine status.
> >
> > No that is wrong, status is for descriptor and not engine!
> 
> Sure, will fix the commit message.
> 
> >
> > > In this case, since the descriptor has been submitted, which means the pointer
> > > 'schan->cur_desc' will point to the current descriptor, then we can use
> > > 'schan->cur_desc' to get the engine status to avoid this issue.
> >
> > Nope, since the descriptor is completed, you return with residue as 0
> > and DMA_COMPLETE status!
> 
> No, the descriptor is not completed now. If it is completed, we will
> return 0 with DMA_COMPLETE status. But now the descriptor is on
> progress, we should get the descriptor to return current residue.
> Sorry for confusing description.

OKay will wait for updated description to understand the fix

> 
> >
> > >
> > > Signed-off-by: Baolin Wang <baolin.wang@linaro.org>
> > > ---
> > >  drivers/dma/sprd-dma.c |    2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
> > > index 48431e2..e29342a 100644
> > > --- a/drivers/dma/sprd-dma.c
> > > +++ b/drivers/dma/sprd-dma.c
> > > @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,
> > >               else
> > >                       pos = 0;
> > >       } else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {
> > > -             struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);
> > > +             struct sprd_dma_desc *sdesc = schan->cur_desc;
> > >
> > >               if (sdesc->dir == DMA_DEV_TO_MEM)
> > >                       pos = sprd_dma_get_dst_addr(schan);
> > > --
> > > 1.7.9.5
> >
> > --
> > ~Vinod
> 
> 
> 
> -- 
> Baolin Wang
> Best Regards
diff mbox series

Patch

diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
index 48431e2..e29342a 100644
--- a/drivers/dma/sprd-dma.c
+++ b/drivers/dma/sprd-dma.c
@@ -625,7 +625,7 @@  static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,
 		else
 			pos = 0;
 	} else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {
-		struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);
+		struct sprd_dma_desc *sdesc = schan->cur_desc;
 
 		if (sdesc->dir == DMA_DEV_TO_MEM)
 			pos = sprd_dma_get_dst_addr(schan);