5.0-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit 546c0547555efca8ba8c120716c325435e29df1b ]

When dma_cookie_complete() is called in hidma_process_completed(),
dma_cookie_status() will return DMA_COMPLETE in hidma_tx_status(). Then,
hidma_txn_is_success() will be called to use channel cookie
mchan->last_success to do additional DMA status check. Current code
assigns mchan->last_success after dma_cookie_complete(). This causes
a race condition of dma_cookie_status() returns DMA_COMPLETE before
mchan->last_success is assigned correctly. The race will cause
hidma_tx_status() return DMA_ERROR but the transaction is actually a
success. Moreover, in async_tx case, it will cause a timeout panic
in async_tx_quiesce().

 Kernel panic - not syncing: async_tx_quiesce: DMA error waiting for
 transaction
 ...
 Call trace:
 [<ffff000008089994>] dump_backtrace+0x0/0x1f4
 [<ffff000008089bac>] show_stack+0x24/0x2c
 [<ffff00000891e198>] dump_stack+0x84/0xa8
 [<ffff0000080da544>] panic+0x12c/0x29c
 [<ffff0000045d0334>] async_tx_quiesce+0xa4/0xc8 [async_tx]
 [<ffff0000045d03c8>] async_trigger_callback+0x70/0x1c0 [async_tx]
 [<ffff0000048b7d74>] raid_run_ops+0x86c/0x1540 [raid456]
 [<ffff0000048bd084>] handle_stripe+0x5e8/0x1c7c [raid456]
 [<ffff0000048be9ec>] handle_active_stripes.isra.45+0x2d4/0x550 [raid456]
 [<ffff0000048beff4>] raid5d+0x38c/0x5d0 [raid456]
 [<ffff000008736538>] md_thread+0x108/0x168
 [<ffff0000080fb1cc>] kthread+0x10c/0x138
 [<ffff000008084d34>] ret_from_fork+0x10/0x18

Cc: Joey Zheng <yu.zh...@hxt-semitech.com>
Reviewed-by: Sinan Kaya <ok...@kernel.org>
Signed-off-by: Shunyong Yang <shunyong.y...@hxt-semitech.com>
Signed-off-by: Vinod Koul <vk...@kernel.org>
Signed-off-by: Sasha Levin <sas...@kernel.org>
---
 drivers/dma/qcom/hidma.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/dma/qcom/hidma.c b/drivers/dma/qcom/hidma.c
index 43d4b00b8138..ea219bca116d 100644
--- a/drivers/dma/qcom/hidma.c
+++ b/drivers/dma/qcom/hidma.c
@@ -138,24 +138,25 @@ static void hidma_process_completed(struct hidma_chan 
*mchan)
                desc = &mdesc->desc;
                last_cookie = desc->cookie;
 
+               llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch);
+
                spin_lock_irqsave(&mchan->lock, irqflags);
+               if (llstat == DMA_COMPLETE) {
+                       mchan->last_success = last_cookie;
+                       result.result = DMA_TRANS_NOERROR;
+               } else {
+                       result.result = DMA_TRANS_ABORTED;
+               }
+
                dma_cookie_complete(desc);
                spin_unlock_irqrestore(&mchan->lock, irqflags);
 
-               llstat = hidma_ll_status(mdma->lldev, mdesc->tre_ch);
                dmaengine_desc_get_callback(desc, &cb);
 
                dma_run_dependencies(desc);
 
                spin_lock_irqsave(&mchan->lock, irqflags);
                list_move(&mdesc->node, &mchan->free);
-
-               if (llstat == DMA_COMPLETE) {
-                       mchan->last_success = last_cookie;
-                       result.result = DMA_TRANS_NOERROR;
-               } else
-                       result.result = DMA_TRANS_ABORTED;
-
                spin_unlock_irqrestore(&mchan->lock, irqflags);
 
                dmaengine_desc_callback_invoke(&cb, &result);
-- 
2.19.1



Reply via email to