iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers/dma
History
Koba Ko f3dc1b3b47 dmaengine: Fix double increment of client_count in dma_chan_get() 
The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
 test of repeated module load and unload of async_tx on a Dell
 Power Edge R7425 also shows this resulting in a kref underflow
 warning.

[  124.329662] async_tx: api initialized (async)
[  129.000627] async_tx: api initialized (async)
[  130.047839] ------------[ cut here ]------------
[  130.052472] refcount_t: underflow; use-after-free.
[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[  130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[  130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[  130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[  130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[  130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[  130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[  130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[  130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[  130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[  130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[  130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  130.198739] FS:  00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[  130.206832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[  130.219729] Call Trace:
[  130.222192]  <TASK>
[  130.224305]  dma_chan_put+0x10d/0x110
[  130.227988]  dmaengine_put+0x7a/0xa0
[  130.231575]  __do_sys_delete_module.constprop.0+0x178/0x280
[  130.237157]  ? syscall_trace_enter.constprop.0+0x145/0x1d0
[  130.242652]  do_syscall_64+0x5c/0x90
[  130.246240]  ? exc_page_fault+0x62/0x150
[  130.250178]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  130.255243] RIP: 0033:0x7f6463a3f5ab
[  130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[  130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[  130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[  130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[  130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[  130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[  130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[  130.320875]  </TASK>
[  130.323081] ---[ end trace eff7156d56b5cf25 ]---

cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2

Fixes: d2f4f99db3e9 ("dmaengine: Rework dma_chan_get")
Signed-off-by: Koba Ko <koba.ko@canonical.com>
Reviewed-by: Jie Hai <haijie1@huawei.com>
Test-by: Jie Hai <haijie1@huawei.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Joel Savitz <jsavitz@redhat.com>
Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2023-01-18 17:36:49 +05:30
..
bestcomm
treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 2)
2022-06-10 14:51:35 +02:00
dw
dmaengine updates for v6.0-rc1
2022-08-04 18:44:38 -07:00
dw-axi-dmac
Add exception protection processing for vd in axi_chan_handle_err function
2023-01-18 17:27:30 +05:30
dw-edma
dmaengine: dw-edma: Remove runtime PM support
2022-09-29 22:46:08 +05:30
fsl-dpaa2-qdma
dmaengine: fsl-dpaa2-qdma: Drop comma after SoC match table sentinel
2022-03-11 15:47:39 +05:30
hsu
dmaengine: hsu: Include headers we are direct user of
2022-09-04 22:49:35 +05:30
idxd
dmaengine: idxd: Do not call DMX TX callbacks during workqueue disable
2022-12-28 16:24:50 +05:30
ioat
dmaengine: ioat: Fix spelling mistake "idel" -> "idle"
2022-10-19 18:56:57 +05:30
ipu
dmaengine: ipu: Fix fall-through warning for Clang
2021-07-13 14:38:47 -05:00
lgm
dmaengine: lgm: Move DT parsing after initialization
2023-01-18 15:32:16 +05:30
mediatek
dmaengine: mediatek: mtk-hsdma: Fix typo 'the the' in comment
2022-07-26 22:06:05 +05:30
ppc4xx
treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_406.RULE
2022-06-10 14:51:37 +02:00
ptdma
dmaengine: ptdma: statify pt_tx_status
2022-04-22 11:29:13 +05:30
qcom
dmaengine: qcom: gpi: Set link_rx bit on GO TRE for rx operation
2022-12-28 12:26:11 +05:30
sf-pdma
dmaengine: sf-pdma:Remove the print function dev_err()
2022-09-05 11:50:38 +05:30
sh
dmaengine: sh: Remove unused shdma-arm.h
2022-11-04 20:12:41 +05:30
ti
dmaengine: ti: k3-udma: Do conditional decrement of UDMA_CHAN_RT_PEER_BCNT_REG
2022-12-28 16:34:14 +05:30
xilinx
dmaengine: xilinx_dma : add xilinx_dma_device_config() return documentation
2022-11-04 19:54:15 +05:30
acpi-dma.c
dmaengine: acpi: Check for errors from acpi_register_gsi() separately
2021-08-06 21:48:11 +05:30
altera-msgdma.c
dmaengine: altera-msgdma: Fixed some inconsistent function name descriptions
2022-07-06 22:00:06 +05:30
amba-pl08x.c
dmaengine: pl08x: Fix double word
2022-09-29 12:24:16 +05:30
apple-admac.c
Merge branch 'fixes' into next
2022-11-11 12:14:26 +05:30
at_hdmac.c
dmaengine: at_hdmac: Convert driver to use virt-dma
2022-11-11 12:15:09 +05:30
at_xdmac.c
dmaengine: at_xdmac: Replace two if statements with only one with two conditions
2022-09-05 12:01:55 +05:30
bcm2835-dma.c
dmaengine: bcm2835: Drop local dma_parms
2020-09-11 17:42:12 +05:30
bcm-sba-raid.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_30.RULE (part 2)
2022-06-10 14:51:35 +02:00
dma-axi-dmac.c
dmaengine: axi-dmac: check cache coherency register
2022-07-26 22:05:20 +05:30
dma-jz4780.c
dmaengine: JZ4780: Add support for the JZ4755.
2022-10-19 19:13:16 +05:30
dmaengine.c
dmaengine: Fix double increment of client_count in dma_chan_get()
2023-01-18 17:36:49 +05:30
dmaengine.h
dmaengine: dmaengine_desc_callback_valid(): Check for callback_result
2021-10-25 09:42:56 +05:30
dmatest.c
treewide: use get_random_bytes() when possible
2022-10-11 17:42:58 -06:00
ep93xx_dma.c
dmaengine: ep93xx: Fix typo in comments
2022-07-01 21:50:23 +05:30
fsl_raid.c
dmaengine: fsl: remove bad channel update
2020-10-05 09:59:17 +05:30
fsl_raid.h
fsl-edma-common.c
dmaengine: fsl-edma: remove redundant assignment to pointer last_sg
2022-07-01 22:09:16 +05:30
fsl-edma-common.h
dmaengine: fsl-edma: support edma memcpy
2021-10-28 22:56:24 +05:30
fsl-edma.c
dmaengine: fsl-edma: support edma memcpy
2021-10-28 22:56:24 +05:30
fsl-qdma.c
dmaengine: fsl-qdma: check dma_set_mask return value
2021-05-10 19:51:03 +05:30
fsldma.c
dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function
2021-01-12 18:00:39 +05:30
fsldma.h
fsldma: fix very broken 32-bit ppc ioread64 functionality
2020-08-29 13:50:56 -07:00
hisi_dma.c
dmaengine: hisilicon: Dump regs to debugfs
2022-09-04 22:42:35 +05:30
idma64.c
dmaengine: idma64: Make idma64_remove() return void
2022-10-19 19:17:35 +05:30
idma64.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
img-mdc-dma.c
imx-dma.c
dmaengine: imx-dma: Cast of_device_get_match_data() with (uintptr_t)
2022-07-21 18:08:35 +05:30
imx-sdma.c
dmaengine updates for v6.0-rc1
2022-08-04 18:44:38 -07:00
k3dma.c
dmaengine: k3dma: use the correct HiSilicon copyright
2021-04-12 17:14:53 +05:30
Kconfig
dmaengine updates for v6.2
2022-12-19 08:54:17 -06:00
lpc18xx-dmamux.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
Makefile
dmaengine: Revert "dmaengine: remove s3c24xx driver"
2022-12-02 17:11:50 +05:30
mcf-edma.c
dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler
2020-06-24 13:06:15 +05:30
milbeaut-hdmac.c
dmaengine: milbeaut-hdmac: Prefer kcalloc over open coded arithmetic
2021-10-25 12:12:13 +05:30
milbeaut-xdmac.c
dmaengine: milbeaut-xdmac: Fix a resource leak in the error handling path of the probe function
2020-12-29 10:08:00 +05:30
mmp_pdma.c
dmaengine: mmp: deprecate '#dma-channels'
2022-05-19 22:53:46 +05:30
mmp_tdma.c
dmaengine: mmp: convert tasklets to use new tasklet_setup() API
2020-09-18 12:19:06 +05:30
moxart-dma.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_56.RULE (part 2)
2022-06-10 14:51:35 +02:00
mpc512x_dma.c
dmaengine: mpc512x: Fix fall-through warning for Clang
2021-07-14 11:05:55 -05:00
mv_xor_v2.c
dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove()
2022-11-08 10:43:56 +05:30
mv_xor.c
dmaengine: mv_xor: drop of_match_ptr from of_device_id table
2020-11-24 23:02:20 +05:30
mv_xor.h
mxs-dma.c
dmaengine: mxs: use platform_driver_register
2022-09-29 12:05:20 +05:30
nbpfaxi.c
dmaengine: nbpfaxi: Use platform_get_irq_optional() to get the interrupt
2022-04-11 16:26:53 +05:30
of-dma.c
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
2021-07-28 12:54:50 +05:30
owl-dma.c
dmaengine: owl: fix typo in comment
2022-07-06 10:50:43 +05:30
pch_dma.c
dmaengine: pch_dma: Remove usage of the deprecated "pci-dma-compat.h" API
2022-01-08 22:16:44 +05:30
pl330.c
dmaengine: pl330: Remove unused flags
2022-09-05 12:01:54 +05:30
plx_dma.c
dmaengine: plx_dma: Move spin_lock_bh() to spin_lock()
2022-04-20 15:59:33 +05:30
pxa_dma.c
dmaengine: pxa_dma: use platform_get_irq_optional
2022-11-08 10:42:51 +05:30
s3c24xx-dma.c
dmaengine: Revert "dmaengine: remove s3c24xx driver"
2022-12-02 17:11:50 +05:30
sa11x0-dma.c
dmaengine: sa11x0: Mark PM functions as __maybe_unused
2021-10-26 10:55:07 +05:30
sprd-dma.c
dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed
2022-07-26 18:20:49 +05:30
st_fdma.c
dmaengine: st_fdma: fix MODULE_ALIAS
2021-12-13 13:18:48 +05:30
st_fdma.h
ste_dma40_ll.c
ste_dma40_ll.h
ste_dma40.c
dmaengine: ste_dma40: fix typo in comment
2022-07-06 10:54:08 +05:30
stm32-dma.c
dmaengine: stm32-dma: fix potential race between pause and resume
2022-11-08 10:43:56 +05:30
stm32-dmamux.c
dmaengine: stm32-dmamux: Simplify code and save a few bytes of memory
2022-09-05 11:52:28 +05:30
stm32-mdma.c
dmaengine: stm32-mdma: memset stm32_mdma_chan_config struct before using it
2022-10-19 19:01:19 +05:30
sun4i-dma.c
dmaengine: sun4i: Set the maximum segment size
2022-07-05 18:34:26 +05:30
sun6i-dma.c
dmaengine: sun6i: Add support for the D1 variant
2022-05-19 23:43:41 +05:30
tegra20-apb-dma.c
dmaengine: tegra20-apb: stop checking config->slave_id
2021-12-17 11:23:38 +05:30
tegra186-gpc-dma.c
dmaengine: tegra: Add support for dma-channel-mask
2022-11-14 04:01:12 +05:30
tegra210-adma.c
dmaengine: tegra210-adma: fix global intr clear
2023-01-18 17:34:36 +05:30
timb_dma.c
dmaengine: timb_dma: convert tasklets to use new tasklet_setup() API
2020-09-18 12:19:07 +05:30
TODO
txx9dmac.c
dmaengine: txx9dmac: convert tasklets to use new tasklet_setup() API
2020-09-18 12:19:07 +05:30
txx9dmac.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
uniphier-mdmac.c
dmaengine: uniphier-mdmac: replace zero-length array with flexible-array member
2020-02-13 20:15:57 +05:30
uniphier-xdmac.c
dmaengine: uniphier-xdmac: Fix type of address variables
2022-01-03 17:49:37 +05:30
virt-dma.c
dmaengine: virt-dma: convert tasklets to use new tasklet_setup() API
2020-09-18 12:19:07 +05:30
virt-dma.h
dmaengine: virt-dma: Add missing locking around list operations
2019-12-26 10:04:18 +05:30
xgene-dma.c
dmaengine: xgene: convert tasklets to use new tasklet_setup() API
2020-09-18 12:19:07 +05:30