dmaengine: at_hdmac: Fix concurrency over the active list

commit 03ed9ba357cc78116164b90b87f45eacab60b561 upstream.

The tasklet (atc_advance_work()) did not held the channel lock when
retrieving the first active descriptor, causing concurrency problems if
issue_pending() was called in between. If issue_pending() was called
exactly after the lock was released in the tasklet (atc_advance_work()),
atc_chain_complete() could complete a descriptor for which the controller
has not yet raised an interrupt.

Fixes: dc78baa2b90b ("dmaengine: at_hdmac: new driver for the Atmel AHB DMA Controller")
Reported-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20221025090306.297886-1-tudor.ambarus@microchip.com
Link: https://lore.kernel.org/r/20221025090306.297886-11-tudor.ambarus@microchip.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c
index 02dd095..7f19e96 100644 (file)
--- a/drivers/dma/at_hdmac.c
+++ b/drivers/dma/at_hdmac.c
@@ -462,8 +462,6 @@ atc_chain_complete(struct at_dma_chan *atchan, struct at_desc *desc)
        if (!atc_chan_is_cyclic(atchan))
                dma_cookie_complete(txd);
 
-       /* Remove transfer node from the active list. */
-       list_del_init(&desc->desc_node);
        spin_unlock_irqrestore(&atchan->lock, flags);
 
        dma_descriptor_unmap(txd);
@@ -495,6 +493,7 @@ atc_chain_complete(struct at_dma_chan *atchan, struct at_desc *desc)
  */
 static void atc_advance_work(struct at_dma_chan *atchan)
 {
+       struct at_desc *desc;
        unsigned long flags;
 
        dev_vdbg(chan2dev(&atchan->chan_common), "advance_work\n");
@@ -502,9 +501,12 @@ static void atc_advance_work(struct at_dma_chan *atchan)
        spin_lock_irqsave(&atchan->lock, flags);
        if (atc_chan_is_enabled(atchan) || list_empty(&atchan->active_list))
                return spin_unlock_irqrestore(&atchan->lock, flags);
-       spin_unlock_irqrestore(&atchan->lock, flags);
 
-       atc_chain_complete(atchan, atc_first_active(atchan));
+       desc = atc_first_active(atchan);
+       /* Remove the transfer node from the active list. */
+       list_del_init(&desc->desc_node);
+       spin_unlock_irqrestore(&atchan->lock, flags);
+       atc_chain_complete(atchan, desc);
 
        /* advance work */
        spin_lock_irqsave(&atchan->lock, flags);