Commit a143545
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Add proper locking in mmp_pdma_residue() to prevent use-after-free when
accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet
on another CPU is freeing completed descriptors:
CPU 0 CPU 1
----- -----
mmp_pdma_tx_status()
mmp_pdma_residue()
-> NO LOCK held
list_for_each_entry(sw, ..)
DMA interrupt
dma_do_tasklet()
-> spin_lock(&desc_lock)
list_move(sw->node, ...)
spin_unlock(&desc_lock)
| dma_pool_free(sw) <- FREED!
-> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with
multiple threads (threads_per_chan > 1).
Fix by protecting the chain_running list iteration and descriptor access
with the chan->desc_lock spinlock.
Signed-off-by: Juan Li <lijuan@linux.spacemit.com>
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>1 parent 430f780 commit a143545
1 file changed
Lines changed: 6 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
928 | 928 | | |
929 | 929 | | |
930 | 930 | | |
| 931 | + | |
931 | 932 | | |
932 | 933 | | |
933 | 934 | | |
| |||
945 | 946 | | |
946 | 947 | | |
947 | 948 | | |
| 949 | + | |
| 950 | + | |
948 | 951 | | |
949 | 952 | | |
950 | 953 | | |
| |||
989 | 992 | | |
990 | 993 | | |
991 | 994 | | |
| 995 | + | |
992 | 996 | | |
993 | 997 | | |
994 | 998 | | |
995 | 999 | | |
996 | 1000 | | |
997 | 1001 | | |
998 | 1002 | | |
| 1003 | + | |
| 1004 | + | |
999 | 1005 | | |
1000 | 1006 | | |
1001 | 1007 | | |
| |||
0 commit comments