From patchwork Thu Feb 13 09:39:01 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Linus Walleij <linus.walleij@linaro.org>
X-Patchwork-Id: 24581
Return-Path: <patchwork-forward+bncBDE6RCFOWIARBUVF6KLQKGQEM3NDCJQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-vb0-f72.google.com (mail-vb0-f72.google.com
 [209.85.212.72])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 3E6BF202E2
 for <linaro@patches.linaro.org>; Thu, 13 Feb 2014 09:39:31 +0000 (UTC)
Received: by mail-vb0-f72.google.com with SMTP id w20sf22018629vbb.11
 for <linaro@patches.linaro.org>; Thu, 13 Feb 2014 01:39:30 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:cc:subject
 :date:message-id:sender:precedence:list-id:x-original-sender
 :x-original-authentication-results:mailing-list:list-post:list-help
 :list-archive:list-unsubscribe;
 bh=c+KR2SBWgtDYTe44fnjI8lJvgS0h8b+VRq3aPE9VLxw=;
 b=f3TwWPBu7OprcaOvCte1ZQ4NP+f242+erYCbHS0B5WV7oPS+K3qJ014qDzk91VPsMM
 TwfxZaxFJHm6Ct+ZrcAP2twM/qVbCXzpFBz3wSiA2eDoBRjrhEMmxFWcDZGh0sv6Zgyn
 PtgTG/kSu5a51+NECbrZgkcINvJN7Zdh9atZ9Q/RTwVCwU2N3fzo/3vHZu+etF9fK7HA
 l8EE5DoxRejfH+DpUfTddAuAD07h0LlnY9s5/zltnI25AIMpmssudJePiIAyuNkF5SPp
 /5X6Sqkd9geMnaYtt+AB7Pc1TyW9fD5s/orD5MjbleSzduG5WSXU7ZLYw09WW0lbUjBx
 ym9g==
X-Gm-Message-State: ALoCoQlPwc6f6f9eLZnydsAdtqq9Ezselk05d2BvpFvdaNXXy8olwhPtEl8WHDL3kLk/AgQguZYV
X-Received: by 10.58.40.97 with SMTP id w1mr163830vek.13.1392284370357;
 Thu, 13 Feb 2014 01:39:30 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.140.33.200 with SMTP id j66ls3330881qgj.80.gmail; Thu, 13 Feb
 2014 01:39:30 -0800 (PST)
X-Received: by 10.220.164.80 with SMTP id d16mr214141vcy.15.1392284370168;
 Thu, 13 Feb 2014 01:39:30 -0800 (PST)
Received: from mail-vc0-f174.google.com (mail-vc0-f174.google.com
 [209.85.220.174]) by mx.google.com with ESMTPS id
 kl10si453286vdb.129.2014.02.13.01.39.29
 for <patchwork-forward@linaro.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 13 Feb 2014 01:39:29 -0800 (PST)
Received-SPF: neutral (google.com: 209.85.220.174 is neither permitted nor
 denied by best guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 client-ip=209.85.220.174; 
Received: by mail-vc0-f174.google.com with SMTP id im17so8044442vcb.33
 for <patchwork-forward@linaro.org>;
 Thu, 13 Feb 2014 01:39:29 -0800 (PST)
X-Received: by 10.220.103.141 with SMTP id k13mr211397vco.25.1392284369626; 
 Thu, 13 Feb 2014 01:39:29 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.220.174.196 with SMTP id u4csp12254vcz;
 Thu, 13 Feb 2014 01:39:29 -0800 (PST)
X-Received: by 10.68.164.4 with SMTP id ym4mr555252pbb.53.1392284368724;
 Thu, 13 Feb 2014 01:39:28 -0800 (PST)
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id yt9si1459666pab.62.2014.02.13.01.39.27;
 Thu, 13 Feb 2014 01:39:27 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1753847AbaBMJjT (ORCPT <rfc822;linus.walleij@linaro.org>
 + 27 others); Thu, 13 Feb 2014 04:39:19 -0500
Received: from mail-we0-f178.google.com ([74.125.82.178]:56934 "EHLO
 mail-we0-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1753199AbaBMJjQ (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Thu, 13 Feb 2014 04:39:16 -0500
Received: by mail-we0-f178.google.com with SMTP id q59so7030729wes.23
 for <linux-kernel@vger.kernel.org>;
 Thu, 13 Feb 2014 01:39:15 -0800 (PST)
X-Received: by 10.195.12.200 with SMTP id es8mr354412wjd.77.1392284355692;
 Thu, 13 Feb 2014 01:39:15 -0800 (PST)
Received: from localhost.localdomain ([85.235.11.236])
 by mx.google.com with ESMTPSA id
 cm5sm3910643wid.5.2014.02.13.01.39.13 for <multiple recipients>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 13 Feb 2014 01:39:14 -0800 (PST)
From: Linus Walleij <linus.walleij@linaro.org>
To: Vinod Koul <vinod.koul@intel.com>
Cc: linux-kernel@vger.kernel.org, Dan Williams <djbw@fb.com>,
 Dan Carpenter <dan.carpenter@oracle.com>,
 Linus Walleij <linus.walleij@linaro.org>, stable@vger.kernel.org
Subject: [PATCH] dma: ste_dma40: don't dereference free:d descriptor
Date: Thu, 13 Feb 2014 10:39:01 +0100
Message-Id: <1392284341-11482-1-git-send-email-linus.walleij@linaro.org>
X-Mailer: git-send-email 1.8.5.3
Sender: linux-kernel-owner@vger.kernel.org
Precedence: list
List-ID: <patchwork-forward.linaro.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: linus.walleij@linaro.org
X-Original-Authentication-Results: mx.google.com;       spf=neutral
 (google.com: 209.85.220.174 is neither permitted nor denied by best
 guess record for domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Unsubscribe: <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>, 
 <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>

It appears that in the DMA40 driver the DMA tasklet will very
often dereference memory for a descriptor just free:d from the
DMA40 slab. Nothing happens because no other part of the driver
has yet had a chance to claim this memory, but it's really
nasty to dereference free:d memory, so let's check the flag
before the descriptor is free and store it in a bool variable.

Cc: stable@vger.kernel.org
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
---
 drivers/dma/ste_dma40.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c
index 00a2de957b23..bf18c786ed40 100644
--- a/drivers/dma/ste_dma40.c
+++ b/drivers/dma/ste_dma40.c
@@ -1641,6 +1641,7 @@ static void dma_tasklet(unsigned long data)
 	struct d40_chan *d40c = (struct d40_chan *) data;
 	struct d40_desc *d40d;
 	unsigned long flags;
+	bool callback_active;
 	dma_async_tx_callback callback;
 	void *callback_param;
 
@@ -1668,6 +1669,7 @@ static void dma_tasklet(unsigned long data)
 	}
 
 	/* Callback to client */
+	callback_active = !!(d40d->txd.flags & DMA_PREP_INTERRUPT);
 	callback = d40d->txd.callback;
 	callback_param = d40d->txd.callback_param;
 
@@ -1690,7 +1692,7 @@ static void dma_tasklet(unsigned long data)
 
 	spin_unlock_irqrestore(&d40c->lock, flags);
 
-	if (callback && (d40d->txd.flags & DMA_PREP_INTERRUPT))
+	if (callback_active && callback)
 		callback(callback_param);
 
 	return;