Re: [PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free

From: Jon Hunter
Date: Tue Jan 14 2020 - 10:09:58 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH] component: fix debugfs."
Previous message: Luis Henriques: "Re: [RFC PATCH v4] ceph: use 'copy-from2' operation in copy_file_range"
In reply to: Dmitry Osipenko: "[PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free"
Next in thread: Dmitry Osipenko: "Re: [PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/01/2020 17:29, Dmitry Osipenko wrote:
> I was doing some experiments with I2C and noticed that Tegra APB DMA
> driver crashes sometime after I2C DMA transfer termination. The crash
> happens because tegra_dma_terminate_all() bails out immediately if pending
> list is empty, thus it doesn't release the half-completed descriptors
> which are getting re-used before ISR tasklet kicks-in.

Can you elaborate a bit more on how these are getting re-used? What is
the sequence of events which results in the panic? I believe that this
was also reported in the past [0] and so I don't doubt there is an issue
here, but would like to completely understand this.

Thanks!
Jon

[0] https://lore.kernel.org/patchwork/patch/675349/

--
nvpublic

Next message: Greg Kroah-Hartman: "Re: [PATCH] component: fix debugfs."
Previous message: Luis Henriques: "Re: [RFC PATCH v4] ceph: use 'copy-from2' operation in copy_file_range"
In reply to: Dmitry Osipenko: "[PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free"
Next in thread: Dmitry Osipenko: "Re: [PATCH v4 01/14] dmaengine: tegra-apb: Fix use-after-free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]