forked from luck/tmp_suning_uos_patched
91539eb1fd
The static bug finder EBA (http://www.iagoabal.eu/eba/) reported the following double-lock bug: Double lock: 1. spin_lock_irqsave(pch->lock, flags) at pl330_free_chan_resources:2236; 2. call to function `pl330_release_channel' immediately after; 3. call to function `dma_pl330_rqcb' in line 1753; 4. spin_lock_irqsave(pch->lock, flags) at dma_pl330_rqcb:1505. I have fixed it as suggested by Marek Szyprowski. First, I have replaced `pch->lock' with `pl330->lock' in functions `pl330_alloc_chan_resources' and `pl330_free_chan_resources'. This avoids the double-lock by acquiring a different lock than `dma_pl330_rqcb'. NOTE that, as a result, `pl330_free_chan_resources' executes `list_splice_tail_init' on `pch->work_list' under lock `pl330->lock', whereas in the rest of the code `pch->work_list' is protected by `pch->lock'. I don't know if this may cause race conditions. Similarly `pch->cyclic' is written by `pl330_alloc_chan_resources' under `pl330->lock' but read by `pl330_tx_submit' under `pch->lock'. Second, I have removed locking from `pl330_request_channel' and `pl330_release_channel' functions. Function `pl330_request_channel' is only called from `pl330_alloc_chan_resources', so the lock is already held. Function `pl330_release_channel' is called from `pl330_free_chan_resources', which already holds the lock, and from `pl330_del'. Function `pl330_del' is called in an error path of `pl330_probe' and at the end of `pl330_remove', but I assume that there cannot be concurrent accesses to the protected data at those points. Signed-off-by: Iago Abal <mail@iagoabal.eu> Reviewed-by: Marek Szyprowski <m.szyprowski@samsung.com> Signed-off-by: Vinod Koul <vinod.koul@intel.com> |
||
---|---|---|
.. | ||
bestcomm | ||
dw | ||
hsu | ||
ioat | ||
ipu | ||
ppc4xx | ||
qcom | ||
sh | ||
xilinx | ||
acpi-dma.c | ||
amba-pl08x.c | ||
at_hdmac_regs.h | ||
at_hdmac.c | ||
at_xdmac.c | ||
bcm2835-dma.c | ||
coh901318_lli.c | ||
coh901318.c | ||
coh901318.h | ||
cppi41.c | ||
dma-axi-dmac.c | ||
dma-jz4740.c | ||
dma-jz4780.c | ||
dmaengine.c | ||
dmaengine.h | ||
dmatest.c | ||
edma.c | ||
ep93xx_dma.c | ||
fsl_raid.c | ||
fsl_raid.h | ||
fsl-edma.c | ||
fsldma.c | ||
fsldma.h | ||
idma64.c | ||
idma64.h | ||
img-mdc-dma.c | ||
imx-dma.c | ||
imx-sdma.c | ||
iop-adma.c | ||
k3dma.c | ||
Kconfig | ||
lpc18xx-dmamux.c | ||
Makefile | ||
mic_x100_dma.c | ||
mic_x100_dma.h | ||
mmp_pdma.c | ||
mmp_tdma.c | ||
moxart-dma.c | ||
mpc512x_dma.c | ||
mv_xor_v2.c | ||
mv_xor.c | ||
mv_xor.h | ||
mxs-dma.c | ||
nbpfaxi.c | ||
of-dma.c | ||
omap-dma.c | ||
pch_dma.c | ||
pl330.c | ||
pxa_dma.c | ||
s3c24xx-dma.c | ||
sa11x0-dma.c | ||
sirf-dma.c | ||
st_fdma.c | ||
st_fdma.h | ||
ste_dma40_ll.c | ||
ste_dma40_ll.h | ||
ste_dma40.c | ||
stm32-dma.c | ||
sun4i-dma.c | ||
sun6i-dma.c | ||
tegra20-apb-dma.c | ||
tegra210-adma.c | ||
ti-dma-crossbar.c | ||
timb_dma.c | ||
TODO | ||
txx9dmac.c | ||
txx9dmac.h | ||
virt-dma.c | ||
virt-dma.h | ||
xgene-dma.c | ||
zx296702_dma.c |