dmaengine: virt-dma: Support for race free transfer termination
authorPeter Ujfalusi <peter.ujfalusi@ti.com>
Tue, 14 Nov 2017 14:32:04 +0000 (16:32 +0200)
committerVinod Koul <vinod.koul@intel.com>
Mon, 4 Dec 2017 17:03:51 +0000 (22:33 +0530)
commit1c7f072d94e8b697fd9b70cdb268622a18faf522
tree706d68a16f1c1b17b99fde45d830b730e33e4932
parent6af149d2b1422e0e873d8558274713e6f63142c2
dmaengine: virt-dma: Support for race free transfer termination

Even with the introduced vchan_synchronize() we can face race when
terminating a cyclic transfer.

If the terminate_all is called after the interrupt handler called
vchan_cyclic_callback(), but before the vchan_complete tasklet is called:
vc->cyclic is set to the cyclic descriptor, but the descriptor itself was
freed up in the driver's terminate_all() callback.
When the vhan_complete() is executed it will try to fetch the vc->cyclic
vdesc, but the pointer is pointing now to uninitialized memory leading to
(hard to reproduce) kernel crash.

In order to fix this, drivers should:
- call vchan_terminate_vdesc() from their terminate_all callback instead
calling their free_desc function to free up the descriptor.
- implement device_synchronize callback and call vchan_synchronize().

This way we can make sure that the descriptor is only going to be freed up
after the vchan_callback was executed in a safe manner.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
drivers/dma/virt-dma.h