[1/7] dmaengine: sprd: Fix the possible crash when getting engine status

We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor
has been submitted, that will crash the kernel when getting the engine status.

In this case, since the descriptor has been submitted, which means the pointer
'schan->cur_desc' will point to the current descriptor, then we can use
'schan->cur_desc' to get the engine status to avoid this issue.

Signed-off-by: Baolin Wang <baolin.wang@linaro.org>

---
 drivers/dma/sprd-dma.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

-- 
1.7.9.5

On 15-04-19, 20:14, Baolin Wang wrote:
> We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor

> has been submitted, that will crash the kernel when getting the engine status.


No that is wrong, status is for descriptor and not engine!

> In this case, since the descriptor has been submitted, which means the pointer

> 'schan->cur_desc' will point to the current descriptor, then we can use

> 'schan->cur_desc' to get the engine status to avoid this issue.


Nope, since the descriptor is completed, you return with residue as 0
and DMA_COMPLETE status!

> 

> Signed-off-by: Baolin Wang <baolin.wang@linaro.org>

> ---

>  drivers/dma/sprd-dma.c |    2 +-

>  1 file changed, 1 insertion(+), 1 deletion(-)

> 

> diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c

> index 48431e2..e29342a 100644

> --- a/drivers/dma/sprd-dma.c

> +++ b/drivers/dma/sprd-dma.c

> @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,

>  		else

>  			pos = 0;

>  	} else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {

> -		struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);

> +		struct sprd_dma_desc *sdesc = schan->cur_desc;

>  

>  		if (sdesc->dir == DMA_DEV_TO_MEM)

>  			pos = sprd_dma_get_dst_addr(schan);

> -- 

> 1.7.9.5


-- 
~Vinod

Hi Vinod,

On Mon, 29 Apr 2019 at 19:36, Vinod Koul <vkoul@kernel.org> wrote:
>

> On 15-04-19, 20:14, Baolin Wang wrote:

> > We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor

> > has been submitted, that will crash the kernel when getting the engine status.

>

> No that is wrong, status is for descriptor and not engine!


Sure, will fix the commit message.

>

> > In this case, since the descriptor has been submitted, which means the pointer

> > 'schan->cur_desc' will point to the current descriptor, then we can use

> > 'schan->cur_desc' to get the engine status to avoid this issue.

>

> Nope, since the descriptor is completed, you return with residue as 0

> and DMA_COMPLETE status!


No, the descriptor is not completed now. If it is completed, we will
return 0 with DMA_COMPLETE status. But now the descriptor is on
progress, we should get the descriptor to return current residue.
Sorry for confusing description.

>

> >

> > Signed-off-by: Baolin Wang <baolin.wang@linaro.org>

> > ---

> >  drivers/dma/sprd-dma.c |    2 +-

> >  1 file changed, 1 insertion(+), 1 deletion(-)

> >

> > diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c

> > index 48431e2..e29342a 100644

> > --- a/drivers/dma/sprd-dma.c

> > +++ b/drivers/dma/sprd-dma.c

> > @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,

> >               else

> >                       pos = 0;

> >       } else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {

> > -             struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);

> > +             struct sprd_dma_desc *sdesc = schan->cur_desc;

> >

> >               if (sdesc->dir == DMA_DEV_TO_MEM)

> >                       pos = sprd_dma_get_dst_addr(schan);

> > --

> > 1.7.9.5

>

> --

> ~Vinod




-- 
Baolin Wang
Best Regards

On 29-04-19, 19:49, Baolin Wang wrote:
> Hi Vinod,

> 

> On Mon, 29 Apr 2019 at 19:36, Vinod Koul <vkoul@kernel.org> wrote:

> >

> > On 15-04-19, 20:14, Baolin Wang wrote:

> > > We will get a NULL virtual descriptor by vchan_find_desc() when the descriptor

> > > has been submitted, that will crash the kernel when getting the engine status.

> >

> > No that is wrong, status is for descriptor and not engine!

> 

> Sure, will fix the commit message.

> 

> >

> > > In this case, since the descriptor has been submitted, which means the pointer

> > > 'schan->cur_desc' will point to the current descriptor, then we can use

> > > 'schan->cur_desc' to get the engine status to avoid this issue.

> >

> > Nope, since the descriptor is completed, you return with residue as 0

> > and DMA_COMPLETE status!

> 

> No, the descriptor is not completed now. If it is completed, we will

> return 0 with DMA_COMPLETE status. But now the descriptor is on

> progress, we should get the descriptor to return current residue.

> Sorry for confusing description.


OKay will wait for updated description to understand the fix

> 

> >

> > >

> > > Signed-off-by: Baolin Wang <baolin.wang@linaro.org>

> > > ---

> > >  drivers/dma/sprd-dma.c |    2 +-

> > >  1 file changed, 1 insertion(+), 1 deletion(-)

> > >

> > > diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c

> > > index 48431e2..e29342a 100644

> > > --- a/drivers/dma/sprd-dma.c

> > > +++ b/drivers/dma/sprd-dma.c

> > > @@ -625,7 +625,7 @@ static enum dma_status sprd_dma_tx_status(struct dma_chan *chan,

> > >               else

> > >                       pos = 0;

> > >       } else if (schan->cur_desc && schan->cur_desc->vd.tx.cookie == cookie) {

> > > -             struct sprd_dma_desc *sdesc = to_sprd_dma_desc(vd);

> > > +             struct sprd_dma_desc *sdesc = schan->cur_desc;

> > >

> > >               if (sdesc->dir == DMA_DEV_TO_MEM)

> > >                       pos = sprd_dma_get_dst_addr(schan);

> > > --

> > > 1.7.9.5

> >

> > --

> > ~Vinod

> 

> 

> 

> -- 

> Baolin Wang

> Best Regards


-- 
~Vinod