tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

dmaengine: qcom: bam_dma: Fix resource leak

bam_dma_terminate_all() will leak resources if any of the transactions are
committed to the hardware (present in the desc fifo), and not complete.
Since bam_dma_terminate_all() does not cause the hardware to be updated,
the hardware will still operate on any previously committed transactions.
This can cause memory corruption if the memory for the transaction has been
reassigned, and will cause a sync issue between the BAM and its client(s).

Fix this by properly updating the hardware in bam_dma_terminate_all().

Fixes: e7c0fe2a5c84 ("dmaengine: add Qualcomm BAM dma driver")
Signed-off-by: Jeffrey Hugo <jeffrey.l.hugo@gmail.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>

authored by

Jeffrey Hugo and committed by
Vinod Koul 76678193 ec1ac309

+19
+19
drivers/dma/qcom/bam_dma.c
··· 694 694 695 695 /* remove all transactions, including active transaction */ 696 696 spin_lock_irqsave(&bchan->vc.lock, flag); 697 + /* 698 + * If we have transactions queued, then some might be committed to the 699 + * hardware in the desc fifo. The only way to reset the desc fifo is 700 + * to do a hardware reset (either by pipe or the entire block). 701 + * bam_chan_init_hw() will trigger a pipe reset, and also reinit the 702 + * pipe. If the pipe is left disabled (default state after pipe reset) 703 + * and is accessed by a connected hardware engine, a fatal error in 704 + * the BAM will occur. There is a small window where this could happen 705 + * with bam_chan_init_hw(), but it is assumed that the caller has 706 + * stopped activity on any attached hardware engine. Make sure to do 707 + * this first so that the BAM hardware doesn't cause memory corruption 708 + * by accessing freed resources. 709 + */ 710 + if (!list_empty(&bchan->desc_list)) { 711 + async_desc = list_first_entry(&bchan->desc_list, 712 + struct bam_async_desc, desc_node); 713 + bam_chan_init_hw(bchan, async_desc->dir); 714 + } 715 + 697 716 list_for_each_entry_safe(async_desc, tmp, 698 717 &bchan->desc_list, desc_node) { 699 718 list_add(&async_desc->vd.node, &bchan->vc.desc_issued);