NothingOSS/android_kernel_msm-6.1_nothing_sm7635
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_msm-6.1_noth.../drivers
History
Koba Ko 142d644fd2 dmaengine: Fix double increment of client_count in dma_chan_get() 
[ Upstream commit f3dc1b3b4750851a94212dba249703dd0e50bb20 ]

The first time dma_chan_get() is called for a channel the channel
client_count is incorrectly incremented twice for public channels,
first in balance_ref_count(), and again prior to returning. This
results in an incorrect client count which will lead to the
channel resources not being freed when they should be. A simple
 test of repeated module load and unload of async_tx on a Dell
 Power Edge R7425 also shows this resulting in a kref underflow
 warning.

[  124.329662] async_tx: api initialized (async)
[  129.000627] async_tx: api initialized (async)
[  130.047839] ------------[ cut here ]------------
[  130.052472] refcount_t: underflow; use-after-free.
[  130.057279] WARNING: CPU: 3 PID: 19364 at lib/refcount.c:28
refcount_warn_saturate+0xba/0x110
[  130.065811] Modules linked in: async_tx(-) rfkill intel_rapl_msr
intel_rapl_common amd64_edac edac_mce_amd ipmi_ssif kvm_amd dcdbas kvm
mgag200 drm_shmem_helper acpi_ipmi irqbypass drm_kms_helper ipmi_si
syscopyarea sysfillrect rapl pcspkr ipmi_devintf sysimgblt fb_sys_fops
k10temp i2c_piix4 ipmi_msghandler acpi_power_meter acpi_cpufreq vfat
fat drm fuse xfs libcrc32c sd_mod t10_pi sg ahci crct10dif_pclmul
libahci crc32_pclmul crc32c_intel ghash_clmulni_intel igb megaraid_sas
i40e libata i2c_algo_bit ccp sp5100_tco dca dm_mirror dm_region_hash
dm_log dm_mod [last unloaded: async_tx]
[  130.117361] CPU: 3 PID: 19364 Comm: modprobe Kdump: loaded Not
tainted 5.14.0-185.el9.x86_64 #1
[  130.126091] Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS
1.18.0 01/17/2022
[  130.133806] RIP: 0010:refcount_warn_saturate+0xba/0x110
[  130.139041] Code: 01 01 e8 6d bd 55 00 0f 0b e9 72 9d 8a 00 80 3d
26 18 9c 01 00 75 85 48 c7 c7 f8 a3 03 9d c6 05 16 18 9c 01 01 e8 4a
bd 55 00 <0f> 0b e9 4f 9d 8a 00 80 3d 01 18 9c 01 00 0f 85 5e ff ff ff
48 c7
[  130.157807] RSP: 0018:ffffbf98898afe68 EFLAGS: 00010286
[  130.163036] RAX: 0000000000000000 RBX: ffff9da06028e598 RCX: 0000000000000000
[  130.170172] RDX: ffff9daf9de26480 RSI: ffff9daf9de198a0 RDI: ffff9daf9de198a0
[  130.177316] RBP: ffff9da7cddf3970 R08: 0000000000000000 R09: 00000000ffff7fff
[  130.184459] R10: ffffbf98898afd00 R11: ffffffff9d9e8c28 R12: ffff9da7cddf1970
[  130.191596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  130.198739] FS:  00007f646435c740(0000) GS:ffff9daf9de00000(0000)
knlGS:0000000000000000
[  130.206832] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  130.212586] CR2: 00007f6463b214f0 CR3: 00000008ab98c000 CR4: 00000000003506e0
[  130.219729] Call Trace:
[  130.222192]  <TASK>
[  130.224305]  dma_chan_put+0x10d/0x110
[  130.227988]  dmaengine_put+0x7a/0xa0
[  130.231575]  __do_sys_delete_module.constprop.0+0x178/0x280
[  130.237157]  ? syscall_trace_enter.constprop.0+0x145/0x1d0
[  130.242652]  do_syscall_64+0x5c/0x90
[  130.246240]  ? exc_page_fault+0x62/0x150
[  130.250178]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  130.255243] RIP: 0033:0x7f6463a3f5ab
[  130.258830] Code: 73 01 c3 48 8b 0d 75 a8 1b 00 f7 d8 64 89 01 48
83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 b0 00 00
00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 45 a8 1b 00 f7 d8 64 89
01 48
[  130.277591] RSP: 002b:00007fff22f972c8 EFLAGS: 00000206 ORIG_RAX:
00000000000000b0
[  130.285164] RAX: ffffffffffffffda RBX: 000055b6786edd40 RCX: 00007f6463a3f5ab
[  130.292303] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 000055b6786edda8
[  130.299443] RBP: 000055b6786edd40 R08: 0000000000000000 R09: 0000000000000000
[  130.306584] R10: 00007f6463b9eac0 R11: 0000000000000206 R12: 000055b6786edda8
[  130.313731] R13: 0000000000000000 R14: 000055b6786edda8 R15: 00007fff22f995f8
[  130.320875]  </TASK>
[  130.323081] ---[ end trace eff7156d56b5cf25 ]---

cat /sys/class/dma/dma0chan*/in_use would get the wrong result.
2
2
2

Fixes: d2f4f99db3 ("dmaengine: Rework dma_chan_get")
Signed-off-by: Koba Ko <koba.ko@canonical.com>
Reviewed-by: Jie Hai <haijie1@huawei.com>
Test-by: Jie Hai <haijie1@huawei.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Tested-by: Joel Savitz <jsavitz@redhat.com>
Link: https://lore.kernel.org/r/20221201030050.978595-1-koba.ko@canonical.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-02-01 08:34:23 +01:00
..
accessibility tty: fix possible null-ptr-defer in spk_ttyio_release 2023-01-24 07:24:37 +01:00
acpi ACPI: PRM: Check whether EFI runtime is available 2023-01-24 07:24:35 +01:00
amba
android
ata ata: ahci: fix enum constants for gcc-13 2023-01-07 11:11:46 +01:00
atm
auxdisplay
base driver core: Fix bus_type.match() error handling in __driver_attach() 2023-01-07 11:11:54 +01:00
bcma
block block/rnbd-clt: fix wrong max ID in ida_alloc_max 2023-02-01 08:34:21 +01:00
bluetooth Bluetooth: hci_qca: Fix driver shutdown on closed serdev 2023-01-24 07:24:32 +01:00
bus bus: mhi: host: Fix race between channel preparation and M0 event 2023-01-07 11:11:54 +01:00
cdrom
char tpm: Allow system suspend to continue when TPM suspend fails 2023-01-12 12:02:49 +01:00
clk clk: imx: imx8mp: add shared clk gate for usb suspend clk 2022-12-31 13:33:09 +01:00
clocksource clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() 2022-12-31 13:31:59 +01:00
comedi comedi: adv_pci1760: Fix PWM instruction handling 2023-01-24 07:24:35 +01:00
connector
counter counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update 2022-12-31 13:32:41 +01:00
cpufreq cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering 2023-01-18 11:58:12 +01:00
cpuidle cpuidle: dt: Return the correct numbers of parsed idle states 2022-12-31 13:31:55 +01:00
crypto virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() 2023-01-12 12:02:08 +01:00
cxl cxl/region: Fix missing probe failure 2023-01-07 11:11:39 +01:00
dax device-dax: Fix duplicate 'hmem' device registration 2022-11-21 15:34:40 -08:00
dca
devfreq PM/devfreq: governor: Add a private governor_data for governor 2023-01-07 11:11:40 +01:00
dio drivers: dio: fix possible memory leak in dio_init() 2022-12-31 13:32:38 +01:00
dma dmaengine: Fix double increment of client_count in dma_chan_get() 2023-02-01 08:34:23 +01:00
dma-buf dma-buf: fix dma_buf_export init order v2 2023-01-24 07:24:30 +01:00
edac EDAC/highbank: Fix memory leak in highbank_mc_probe() 2023-02-01 08:34:05 +01:00
eisa
extcon extcon: usbc-tusb320: Update state on probe even if no IRQ pending 2022-12-31 13:32:39 +01:00
firewire
firmware firmware: arm_scmi: Fix virtio channels cleanup on shutdown 2023-02-01 08:34:06 +01:00
fpga
fsi
gnss
gpio gpio: mxc: Always set GPIOs used as interrupt source to INPUT mode 2023-02-01 08:34:18 +01:00
gpu drm/panfrost: fix GENERIC_ATOMIC64 dependency 2023-02-01 08:34:23 +01:00
greybus
hid HID: revert CHERRY_MOUSE_000C quirk 2023-02-01 08:34:20 +01:00
hsi HSI: omap_ssi_core: Fix error handling in ssi_init() 2022-12-31 13:32:45 +01:00
hte
hv video: hyperv_fb: Avoid taking busy spinlock on panic path 2022-12-31 13:32:56 +01:00
hwmon hwmon: (jc42) Fix missing unlock on error in jc42_write() 2022-12-31 13:33:06 +01:00
hwspinlock
hwtracing coresight: cti: Fix null pointer error on CTI init before ETM 2022-12-31 13:32:41 +01:00
i2c i2c: ismt: Fix an out-of-bounds bug in ismt_access() 2022-12-31 13:32:42 +01:00
i3c
idle
iio iio: addac: ad74413r: fix integer promotion bug in ad74413_get_input_current_offset() 2022-12-31 13:33:10 +01:00
infiniband IB/hfi1: Remove user expected buffer invalidate race 2023-02-01 08:34:08 +01:00
input Input: iqs7222 - add support for IQS7222A v1.13+ 2022-12-31 13:33:08 +01:00
interconnect interconnect: qcom: msm8996: Fix regmap max_register values 2023-02-01 08:34:06 +01:00
iommu iommu/arm-smmu: Report IOMMU_CAP_CACHE_COHERENCY even betterer 2023-01-18 11:58:21 +01:00
ipack
irqchip irqchip/loongson-liointc: Fix improper error handling in liointc_init() 2022-12-31 13:31:57 +01:00
isdn mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() 2022-12-31 13:32:53 +01:00
leds leds: is31fl319x: Fix setting current limit for is31fl319{0,1,3} 2022-12-31 13:32:45 +01:00
macintosh macintosh/macio-adb: check the return value of ioremap() 2022-12-31 13:32:50 +01:00
mailbox mailbox: zynq-ipi: fix error handling while device_register() fails 2022-12-31 13:32:55 +01:00
mcb mcb: mcb-parse: fix error handing in chameleon_parse_gdd() 2022-12-31 13:32:41 +01:00
md block: handle bio_split_to_limits() NULL return 2023-01-18 11:58:33 +01:00
media media: dvb-core: Fix UAF due to refcount races at releasing 2023-01-07 11:11:49 +01:00
memory memory: mvebu-devbus: Fix missing clk_disable_unprepare in mvebu_devbus_probe() 2023-02-01 08:34:02 +01:00
memstick memstick/ms_block: Add check for alloc_ordered_workqueue 2022-12-31 13:32:25 +01:00
message
mfd mfd: mt6360: Add bounds checking in Regmap read/write call-backs 2023-01-04 11:29:01 +01:00
misc VMCI: Use threaded irqs instead of tasklets 2023-01-24 07:24:39 +01:00
mmc mmc: sdhci-esdhc-imx: correct the tuning start tap and step setting 2023-01-24 07:24:35 +01:00
most
mtd mtd: cfi: allow building spi-intel standalone 2023-01-18 11:58:24 +01:00
mux
net net: mlx5: eliminate anonymous module_init & module_exit 2023-02-01 08:34:23 +01:00
nfc nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() 2023-01-18 11:58:26 +01:00
ntb
nubus
nvdimm
nvme block: handle bio_split_to_limits() NULL return 2023-01-18 11:58:33 +01:00
nvmem nvmem: lan9662-otp: Change return type of lan9662_otp_wait_flag_clear() 2022-11-22 18:22:05 +01:00
of of: fdt: Honor CONFIG_CMDLINE* even without /chosen node, take 2 2023-01-24 07:24:32 +01:00
opp
parisc parisc: led: Fix potential null-ptr-deref in start_task() 2023-01-07 11:11:55 +01:00
parport
pci PCI/sysfs: Fix double free in error path 2023-01-07 11:11:53 +01:00
pcmcia
peci
perf drivers/perf: hisi: Fix some event id for hisi-pcie-pmu 2022-12-31 13:31:53 +01:00
phy phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() 2023-02-01 08:34:17 +01:00
pinctrl pinctrl: rockchip: fix mux route data for rk3568 2023-02-01 08:34:20 +01:00
platform platform/x86/amd: Fix refcount leak in amd_pmc_probe 2023-01-18 11:58:32 +01:00
pnp PNP: fix name memory leak in pnp_alloc_dev() 2022-12-31 13:31:56 +01:00
power power: supply: fix null pointer dereferencing in power_supply_get_battery_info 2022-12-31 13:32:45 +01:00
powercap
pps
ps3
ptp
pwm pwm: tegra: Fix 32 bit build 2022-12-31 13:33:12 +01:00
rapidio rapidio: devices: fix missing put_device in mport_cdev_open 2022-12-31 13:32:00 +01:00
ras
regulator regulator: da9211: Use irq handler when ready 2023-01-18 11:58:22 +01:00
remoteproc remoteproc: imx_rproc: Correct i.MX93 DRAM mapping 2023-01-07 11:11:55 +01:00
reset reset: uniphier-glue: Fix possible null-ptr-deref 2023-02-01 08:34:05 +01:00
rpmsg
rtc rtc: ds1347: fix value written to century register 2023-01-07 11:11:50 +01:00
s390 block: handle bio_split_to_limits() NULL return 2023-01-18 11:58:33 +01:00
sbus
scsi scsi: mpi3mr: Refer CONFIG_SCSI_MPI3MR in Makefile 2023-01-18 11:58:23 +01:00
sh
siox
slimbus
soc PM: AVS: qcom-cpr: Fix an error handling path in cpr_probe() 2023-02-01 08:34:08 +01:00
soundwire soundwire: dmi-quirks: add quirk variant for LAPBC710 NUC15 2023-01-04 11:28:56 +01:00
spi spi: fsl_spi: Don't change speed while chipselect is active 2022-12-31 13:33:11 +01:00
spmi
ssb
staging staging: vchiq_arm: fix enum vchiq_status return types 2023-01-24 07:24:35 +01:00
target scsi: target: iscsi: Fix a race condition between login_work and the login thread 2022-12-31 13:33:06 +01:00
tc
tee
thermal thermal: int340x: Add missing attribute for data rate base 2023-01-12 12:02:50 +01:00
thunderbolt thunderbolt: Do not call PM runtime functions in tb_retimer_scan() 2023-01-24 07:24:37 +01:00
tty serial: exar: Add support for Sealevel 7xxxC serial cards 2023-01-24 07:24:39 +01:00
ufs scsi: ufs: core: WLUN suspend SSU/enter hibern8 fail recovery 2023-01-18 11:58:23 +01:00
uio uio: uio_dmem_genirq: Fix deadlock between irq config and handling 2022-12-31 13:32:38 +01:00
usb usb: gadget: f_fs: Ensure ep0req is dequeued before free_request 2023-02-01 08:34:21 +01:00
vdpa vdpa_sim_net: should not drop the multicast/broadcast packet 2023-01-24 07:24:31 +01:00
vfio vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries 2022-12-31 13:32:41 +01:00
vhost vhost_vdpa: fix the crash in unmap a large memory 2023-01-12 12:02:49 +01:00
video fbdev: omapfb: avoid stack overflow warning 2023-01-24 07:24:32 +01:00
virt virt/sev-guest: Add a MODULE_ALIAS 2022-12-31 13:32:09 +01:00
virtio virtio_pci: modify ENOENT to EINVAL 2023-01-24 07:24:31 +01:00
vlynq
w1
watchdog watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running 2022-12-31 13:32:44 +01:00
xen xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() 2022-12-31 13:31:59 +01:00
zorro
Kconfig
Makefile