superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/drivers/tty
History
Ilpo Järvinen 9d25aea2ab serial: 8250_dma: Fix DMA Rx rearm race 
commit 57e9af7831 upstream.

As DMA Rx can be completed from two places, it is possible that DMA Rx
completes before DMA completion callback had a chance to complete it.
Once the previous DMA Rx has been completed, a new one can be started
on the next UART interrupt. The following race is possible
(uart_unlock_and_check_sysrq_irqrestore() replaced with
spin_unlock_irqrestore() for simplicity/clarity):

CPU0					CPU1
					dma_rx_complete()
serial8250_handle_irq()
  spin_lock_irqsave(&port->lock)
  handle_rx_dma()
    serial8250_rx_dma_flush()
      __dma_rx_complete()
        dma->rx_running = 0
        // Complete DMA Rx
  spin_unlock_irqrestore(&port->lock)

serial8250_handle_irq()
  spin_lock_irqsave(&port->lock)
  handle_rx_dma()
    serial8250_rx_dma()
      dma->rx_running = 1
      // Setup a new DMA Rx
  spin_unlock_irqrestore(&port->lock)

					  spin_lock_irqsave(&port->lock)
					  // sees dma->rx_running = 1
					  __dma_rx_complete()
					    dma->rx_running = 0
					    // Incorrectly complete
					    // running DMA Rx

This race seems somewhat theoretical to occur for real but handle it
correctly regardless. Check what is the DMA status before complething
anything in __dma_rx_complete().

Reported-by: Gilles BULOZ <gilles.buloz@kontron.com>
Tested-by: Gilles BULOZ <gilles.buloz@kontron.com>
Fixes: 9ee4b83e51 ("serial: 8250: Add support for dmaengine")
Cc: stable@vger.kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20230130114841.25749-3-ilpo.jarvinen@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2023-02-09 11:28:25 +01:00
..
hvc hvc/xen: lock console list traversal 2023-01-18 11:58:26 +01:00
ipwireless
serdev
serial serial: 8250_dma: Fix DMA Rx rearm race 2023-02-09 11:28:25 +01:00
vt vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF 2023-02-09 11:28:14 +01:00
Kconfig
Makefile
amiserial.c
ehv_bytechan.c
goldfish.c
mips_ejtag_fdc.c
moxa.c
mxser.c tty: mxser: remove redundant assignment to hwid 2022-09-01 17:59:36 +02:00
n_gsm.c tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send 2022-11-03 04:12:09 +01:00
n_hdlc.c tty: n_hdlc: remove HDLC_MAGIC 2022-09-22 16:12:34 +02:00
n_null.c
n_tty.c
nozomi.c
pty.c
rpmsg_tty.c
synclink_gt.c tty: synclink_gt: remove MGSL_MAGIC 2022-09-22 16:12:34 +02:00
sysrq.c
tty.h
tty_audit.c
tty_baudrate.c
tty_buffer.c
tty_io.c tty: remove TTY_DRIVER_MAGIC 2022-09-22 16:12:34 +02:00
tty_ioctl.c termios: start unifying non-UAPI parts of asm/termios.h 2022-09-09 10:44:34 +02:00
tty_jobctrl.c
tty_ldisc.c
tty_ldsem.c
tty_mutex.c tty: remove TTY_MAGIC 2022-09-22 16:12:34 +02:00
tty_port.c
ttynull.c
vcc.c termios: start unifying non-UAPI parts of asm/termios.h 2022-09-09 10:44:34 +02:00