[3.8.y.z extended stable] Patch "dma: ste_dma40: don't dereference free:d descriptor" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Mon Mar 24 21:19:45 UTC 2014 

This is a note to let you know that I have just added a patch titled

    dma: ste_dma40: don't dereference free:d descriptor

to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue

This patch is scheduled to be released in version 3.8.13.20.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.8.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 6aff5bf088cfeef826c3826a6b5d75207fea486a Mon Sep 17 00:00:00 2001
From: Linus Walleij <linus.walleij at linaro.org>
Date: Thu, 13 Feb 2014 10:39:01 +0100
Subject: dma: ste_dma40: don't dereference free:d descriptor

commit e9baa9d9d520fb0e24cca671e430689de2d4a4b2 upstream.

It appears that in the DMA40 driver the DMA tasklet will very
often dereference memory for a descriptor just free:d from the
DMA40 slab. Nothing happens because no other part of the driver
has yet had a chance to claim this memory, but it's really
nasty to dereference free:d memory, so let's check the flag
before the descriptor is free and store it in a bool variable.

Reported-by: Dan Carpenter <dan.carpenter at oracle.com>
Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
Signed-off-by: Vinod Koul <vinod.koul at intel.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 drivers/dma/ste_dma40.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/ste_dma40.c b/drivers/dma/ste_dma40.c
index 17459ad..da6426e 100644
--- a/drivers/dma/ste_dma40.c
+++ b/drivers/dma/ste_dma40.c
@@ -1410,6 +1410,7 @@ static void dma_tasklet(unsigned long data)
 	struct d40_chan *d40c = (struct d40_chan *) data;
 	struct d40_desc *d40d;
 	unsigned long flags;
+	bool callback_active;
 	dma_async_tx_callback callback;
 	void *callback_param;

@@ -1433,6 +1434,7 @@ static void dma_tasklet(unsigned long data)
 	}

 	/* Callback to client */
+	callback_active = !!(d40d->txd.flags & DMA_PREP_INTERRUPT);
 	callback = d40d->txd.callback;
 	callback_param = d40d->txd.callback_param;

@@ -1457,7 +1459,7 @@ static void dma_tasklet(unsigned long data)

 	spin_unlock_irqrestore(&d40c->lock, flags);

-	if (callback && (d40d->txd.flags & DMA_PREP_INTERRUPT))
+	if (callback_active && callback)
 		callback(callback_param);

 	return;
--
1.8.3.2

More information about the kernel-team mailing list