From nobody Thu Dec 18 15:32:03 2025 Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 508D220DD48 for ; Tue, 16 Dec 2025 14:11:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765894268; cv=none; b=Kho5qcMBmrHXz8aR7nsllQF6BpNJW5xalksE8dgssTSnmhpmJ6qwZhKJxDS7WY9wISq6nV/yCZQ7QbOCf3WE4nC9LxJ4t9+HTbLDejyuVJWGiaDlySFz65z6ZvP4NE1Kf0T5ggDMv3GxzvN5mkKYsE09VgRgame5PwMXxjjf0jQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765894268; c=relaxed/simple; bh=XYOEb0zf8jXCKwsHsvzzu3YtIHkS2WRUQr2IbZW/Umc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=Ach25NQJvVB7uWmDqQzrrgIjhlk4lXkC2PGf7g7Ta2tXhT69igr2E/L9tiNvNJ9ppVYwjebWKcGjO1Gu6cPdIxgAw/qXpclhw8NeJ+WHBZ7vFY8q4+RCaIp5aI8YDAeIlVw2ndEHXeRLwAeGTgb/gPp89Ug4Qz2v26Q5OpTQaOk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=riscstar.com; spf=pass smtp.mailfrom=riscstar.com; dkim=pass (2048-bit key) header.d=riscstar-com.20230601.gappssmtp.com header.i=@riscstar-com.20230601.gappssmtp.com header.b=glLR6ZNN; arc=none smtp.client-ip=209.85.210.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=riscstar.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=riscstar.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=riscstar-com.20230601.gappssmtp.com header.i=@riscstar-com.20230601.gappssmtp.com header.b="glLR6ZNN" Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-7fbbb84f034so579979b3a.0 for ; Tue, 16 Dec 2025 06:11:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=riscstar-com.20230601.gappssmtp.com; s=20230601; t=1765894263; x=1766499063; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=x0mQ2j55HYzsWAqKi9hLFK12hbv+niMldudmD970L/A=; b=glLR6ZNNKNPxWNJZ0eM9xaBPlVEOC7arBWWE7wbFCaENgqmtsdUPCx195ZqqwHJLeR N71czyFMSYG1YnT8QFl69CJJcB4Sj8vlMx3kIq1p2iZDrHv2yzGDHAhAAIfzi/sR/oOS GJ+qZL0iPYTUqayWhHWrpgoITDKuVP3tH4iJsBxc5EDZ9hrqbLtcURe9nkZPDZcOp3xT l9JowyYwdfq2PhC8FViDQ2xWP0eTANf8JL3YEXZt7tuW0moVGwUm+aB4ZFkPdY+NRr43 jI17sj86MlllCMOIjnQXXl7vKGKMX+/Fo16R6VuIP4mdOoxLjWzPSfyXbHXL77YJ1ceE 6MFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765894263; x=1766499063; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=x0mQ2j55HYzsWAqKi9hLFK12hbv+niMldudmD970L/A=; b=GgGpbJZyWJ+e4Il4M2asC0xtlvmdSoJTJPTbnw1YJNxNMil8I/HgdkUtJxrsrj91QL KPgRU8QjHcHcJziONYihO8x1DkXmzBDr6HuPSlgS2PWlgkgPpYsXB5intolJms/jp5td 09SIBCqmCe4EFYI2HAhIj4xz3Nl+6PFDF+K7HTyQ0BlMS76wyYuUL0Tj0i8hel6c3DnM GZte67ktAcWXwgSgS75IAd8Z7LcSWqmUbwxI+m6aDN4NyzbGXWbggrouAylsB+9I/bC1 5qNx+aR4/zeS6v8uEu2PCDvsJPR4LRZdkdgEylp4QDD/RiSlpwzPAYDl9AKHz+f/7ROx ZZuw== X-Forwarded-Encrypted: i=1; AJvYcCXTXP5hjgSy5Ks+UmBAz9dmFexx60R8ud9JSjuRsm/EahvpHCX9xdagjZvDeebavEYG3+e55fxuNuhrDFU=@vger.kernel.org X-Gm-Message-State: AOJu0YxYeikMjrfPvjcisWURJOirneOe3fI1/SRFTr+HXj2aiA1cf/Vd l5wdOXBiMV72cWTnY6C436cduFkd+mxvX8nQeQ83oy43pxVqzwn2LPgXRhlj8r22wuk= X-Gm-Gg: AY/fxX7pqjKPEhWDmtUpaVWphKTp+ZQFKK+An/6AqFdePMVHB4e/3X8ojVMRh9Kzlrz tbgZq74d/JJ92ml2O1hCzMdQaPuc41pdeYdxo3+Ij1YelUuQ98laTxbToy/VHDAWk/e8W+3elRM 0AF5N/kWqKk1A+foE2/AAYM9DkR4FHNIsXEZS+FFI+u7g5hBDT7jIG8bURBn+PxfXpchsyoejGH OkzCDhZ4g1lbaYSbBucfYRurkmCPVF9vMhGJ+Jz3R8i3UUnm58boxYhSD1bgS4YpHrpZSgjDem/ u03bftxZM1qg5zSRzP/0uzZ9XXfYbn9i6Iog43XSD0jg2lNnftBItV6XyaZ+yPQk8KqgPvgedAx 0JbP+xpee04X3Lru9zvIt+eSCnT4krCwAAt7DsLKOFHtB7GISfvl1t3Mu8j/Q7HsSz8oiAuSa9u JR6WapvHlUcozvYolxKJhr/RQgOZxPPu4= X-Google-Smtp-Source: AGHT+IFdznc94KTDkz6BoktpmFeuIds91RWVwGw8kUgSdrZJ6fQjtIW9/MuumcftUmESsfRMEb1Hmg== X-Received: by 2002:a05:6a20:e210:b0:35f:10a7:df67 with SMTP id adf61e73a8af0-369ad9d21c0mr14335397637.17.1765894263443; Tue, 16 Dec 2025 06:11:03 -0800 (PST) Received: from [127.0.1.1] ([2a12:a305:4::4029]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-34abe200077sm12055352a91.3.2025.12.16.06.10.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 16 Dec 2025 06:11:03 -0800 (PST) From: Guodong Xu Date: Tue, 16 Dec 2025 22:10:06 +0800 Subject: [PATCH] dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20251216-mmp-pdma-race-v1-1-976a224bb622@riscstar.com> X-B4-Tracking: v=1; b=H4sIAD1oQWkC/x3MTQqAIBBA4avErBvIof+rRAvTqWZhiUIE4t2Tl t/ivQSRg3CEuUoQ+JEo91Wg6grMqa+DUWwxUEOdItWjcx69dRqDNox2GMzYkpo2MlAaH3iX9/8 ta84fhHNzfV8AAAA= X-Change-ID: 20251216-mmp-pdma-race-d77c84219b2c To: Vinod Koul , Yixun Lan Cc: Alex Elder , dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, spacemit@lists.linux.dev, Juan Li , Guodong Xu X-Mailer: b4 0.14.2 Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents. The race occurs when multiple threads call tx_status() while the tasklet on another CPU is freeing completed descriptors: CPU 0 CPU 1 ----- ----- mmp_pdma_tx_status() mmp_pdma_residue() -> NO LOCK held list_for_each_entry(sw, ..) DMA interrupt dma_do_tasklet() -> spin_lock(&desc_lock) list_move(sw->node, ...) spin_unlock(&desc_lock) | dma_pool_free(sw) <- FREED! -> access sw->desc <- UAF! This issue can be reproduced when running dmatest on the same channel with multiple threads (threads_per_chan > 1). Fix by protecting the chain_running list iteration and descriptor access with the chan->desc_lock spinlock. Signed-off-by: Juan Li Signed-off-by: Guodong Xu --- drivers/dma/mmp_pdma.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c index d07229a748868b8115892c63c54c16130d88e326..481b58c414e470cc08812d5a9fe= 7283cc48e5827 100644 --- a/drivers/dma/mmp_pdma.c +++ b/drivers/dma/mmp_pdma.c @@ -928,6 +928,7 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_ch= an *chan, { struct mmp_pdma_desc_sw *sw; struct mmp_pdma_device *pdev =3D to_mmp_pdma_dev(chan->chan.device); + unsigned long flags; u64 curr; u32 residue =3D 0; bool passed =3D false; @@ -945,6 +946,8 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_ch= an *chan, else curr =3D pdev->ops->read_src_addr(chan->phy); =20 + spin_lock_irqsave(&chan->desc_lock, flags); + list_for_each_entry(sw, &chan->chain_running, node) { u64 start, end; u32 len; @@ -989,6 +992,7 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_ch= an *chan, continue; =20 if (sw->async_tx.cookie =3D=3D cookie) { + spin_unlock_irqrestore(&chan->desc_lock, flags); return residue; } else { residue =3D 0; @@ -996,6 +1000,8 @@ static unsigned int mmp_pdma_residue(struct mmp_pdma_c= han *chan, } } =20 + spin_unlock_irqrestore(&chan->desc_lock, flags); + /* We should only get here in case of cyclic transactions */ return residue; } --- base-commit: 8f0b4cce4481fb22653697cced8d0d04027cb1e8 change-id: 20251216-mmp-pdma-race-d77c84219b2c Best regards, --=20 Guodong Xu