diff options
| author | Guodong Xu <guodong@riscstar.com> | 2025-12-16 22:10:06 +0800 |
|---|---|---|
| committer | Vinod Koul <vkoul@kernel.org> | 2025-12-16 20:28:39 +0530 |
| commit | a143545855bc2c6e1330f6f57ae375ac44af00a7 (patch) | |
| tree | 94f36fc0a06bc6f99e7835acca7a9675a003d79a /kernel/livepatch/git@git.tavy.me:linux.git | |
| parent | 430f7803b69cd5e5694e5dfc884c6628870af36e (diff) | |
dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue()
Add proper locking in mmp_pdma_residue() to prevent use-after-free when
accessing descriptor list and descriptor contents.
The race occurs when multiple threads call tx_status() while the tasklet
on another CPU is freeing completed descriptors:
CPU 0 CPU 1
----- -----
mmp_pdma_tx_status()
mmp_pdma_residue()
-> NO LOCK held
list_for_each_entry(sw, ..)
DMA interrupt
dma_do_tasklet()
-> spin_lock(&desc_lock)
list_move(sw->node, ...)
spin_unlock(&desc_lock)
| dma_pool_free(sw) <- FREED!
-> access sw->desc <- UAF!
This issue can be reproduced when running dmatest on the same channel with
multiple threads (threads_per_chan > 1).
Fix by protecting the chain_running list iteration and descriptor access
with the chan->desc_lock spinlock.
Signed-off-by: Juan Li <lijuan@linux.spacemit.com>
Signed-off-by: Guodong Xu <guodong@riscstar.com>
Link: https://patch.msgid.link/20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Diffstat (limited to 'kernel/livepatch/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions