[PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[madhuparnabhowmik10]

From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>

In probe IRQ is requested before zchan->id is initialized which can be
read in the irq handler. Hence, shift request irq and enable clock after
other initializations complete. Here, enable clock part is not part of
the race, it is just shifted down after request_irq to keep the error
path same as before.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
---
 drivers/dma/dma-jz4780.c | 44 ++++++++++++++++++++--------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/drivers/dma/dma-jz4780.c b/drivers/dma/dma-jz4780.c
index 448f663da89c..5cbc8c3bd6c7 100644
--- a/drivers/dma/dma-jz4780.c
+++ b/drivers/dma/dma-jz4780.c
@@ -879,28 +879,6 @@ static int jz4780_dma_probe(struct platform_device *pdev)
 		return -EINVAL;
 	}
 
-	ret = platform_get_irq(pdev, 0);
-	if (ret < 0)
-		return ret;
-
-	jzdma->irq = ret;
-
-	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0, dev_name(dev),
-			  jzdma);
-	if (ret) {
-		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
-		return ret;
-	}
-
-	jzdma->clk = devm_clk_get(dev, NULL);
-	if (IS_ERR(jzdma->clk)) {
-		dev_err(dev, "failed to get clock\n");
-		ret = PTR_ERR(jzdma->clk);
-		goto err_free_irq;
-	}
-
-	clk_prepare_enable(jzdma->clk);
-
 	/* Property is optional, if it doesn't exist the value will remain 0. */
 	of_property_read_u32_index(dev->of_node, "ingenic,reserved-channels",
 				   0, &jzdma->chan_reserved);
@@ -949,6 +927,28 @@ static int jz4780_dma_probe(struct platform_device *pdev)
 		jzchan->vchan.desc_free = jz4780_dma_desc_free;
 	}
 
+	ret = platform_get_irq(pdev, 0);
+	if (ret < 0)
+		return ret;
+
+	jzdma->irq = ret;
+
+	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0, dev_name(dev),
+			  jzdma);
+	if (ret) {
+		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
+		return ret;
+	}
+
+	jzdma->clk = devm_clk_get(dev, NULL);
+	if (IS_ERR(jzdma->clk)) {
+		dev_err(dev, "failed to get clock\n");
+		ret = PTR_ERR(jzdma->clk);
+		goto err_free_irq;
+	}
+
+	clk_prepare_enable(jzdma->clk);
+
 	ret = dmaenginem_async_device_register(dd);
 	if (ret) {
 		dev_err(dev, "failed to register device\n");
-- 
2.17.1

Re: [PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[Paul Cercueil]

Hi,

Le dim. 16 août 2020 à 12:52, madhuparnabhowmik10@gmail.com a écrit :
> From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> 
> In probe IRQ is requested before zchan->id is initialized which can be
> read in the irq handler. Hence, shift request irq and enable clock 
> after
> other initializations complete. Here, enable clock part is not part of
> the race, it is just shifted down after request_irq to keep the error
> path same as before.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>

I don't think there is a race at all, the interrupt handler won't be 
called before the DMA is registered.

More importantly, this patch will break things, as there are now 
register writes in the probe before the clock is enabled.

Cheers,
-Paul

> ---
>  drivers/dma/dma-jz4780.c | 44 
> ++++++++++++++++++++--------------------
>  1 file changed, 22 insertions(+), 22 deletions(-)
> 
> diff --git a/drivers/dma/dma-jz4780.c b/drivers/dma/dma-jz4780.c
> index 448f663da89c..5cbc8c3bd6c7 100644
> --- a/drivers/dma/dma-jz4780.c
> +++ b/drivers/dma/dma-jz4780.c
> @@ -879,28 +879,6 @@ static int jz4780_dma_probe(struct 
> platform_device *pdev)
>  		return -EINVAL;
>  	}
> 
> -	ret = platform_get_irq(pdev, 0);
> -	if (ret < 0)
> -		return ret;
> -
> -	jzdma->irq = ret;
> -
> -	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0, 
> dev_name(dev),
> -			  jzdma);
> -	if (ret) {
> -		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
> -		return ret;
> -	}
> -
> -	jzdma->clk = devm_clk_get(dev, NULL);
> -	if (IS_ERR(jzdma->clk)) {
> -		dev_err(dev, "failed to get clock\n");
> -		ret = PTR_ERR(jzdma->clk);
> -		goto err_free_irq;
> -	}
> -
> -	clk_prepare_enable(jzdma->clk);
> -
>  	/* Property is optional, if it doesn't exist the value will remain 
> 0. */
>  	of_property_read_u32_index(dev->of_node, 
> "ingenic,reserved-channels",
>  				   0, &jzdma->chan_reserved);
> @@ -949,6 +927,28 @@ static int jz4780_dma_probe(struct 
> platform_device *pdev)
>  		jzchan->vchan.desc_free = jz4780_dma_desc_free;
>  	}
> 
> +	ret = platform_get_irq(pdev, 0);
> +	if (ret < 0)
> +		return ret;
> +
> +	jzdma->irq = ret;
> +
> +	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0, 
> dev_name(dev),
> +			  jzdma);
> +	if (ret) {
> +		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
> +		return ret;
> +	}
> +
> +	jzdma->clk = devm_clk_get(dev, NULL);
> +	if (IS_ERR(jzdma->clk)) {
> +		dev_err(dev, "failed to get clock\n");
> +		ret = PTR_ERR(jzdma->clk);
> +		goto err_free_irq;
> +	}
> +
> +	clk_prepare_enable(jzdma->clk);
> +
>  	ret = dmaenginem_async_device_register(dd);
>  	if (ret) {
>  		dev_err(dev, "failed to register device\n");
> --
> 2.17.1
> 

Re: [PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[Madhuparna Bhowmik]

On Thu, Aug 20, 2020 at 01:59:23PM +0200, Paul Cercueil wrote:
> Hi,
> 
> Le dim. 16 août 2020 à 12:52, madhuparnabhowmik10@gmail.com a écrit :
> > From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> > 
> > In probe IRQ is requested before zchan->id is initialized which can be
> > read in the irq handler. Hence, shift request irq and enable clock after
> > other initializations complete. Here, enable clock part is not part of
> > the race, it is just shifted down after request_irq to keep the error
> > path same as before.
> > 
> > Found by Linux Driver Verification project (linuxtesting.org).
> > 
> > Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> 
> I don't think there is a race at all, the interrupt handler won't be called
> before the DMA is registered.
> 
> More importantly, this patch will break things, as there are now register
> writes in the probe before the clock is enabled.
>
Okay, thanks for reviewing the patch anyway, and sorry for the trouble.

Regards,
Madhuparna
> Cheers,
> -Paul
> 
> > ---
> >  drivers/dma/dma-jz4780.c | 44 ++++++++++++++++++++--------------------
> >  1 file changed, 22 insertions(+), 22 deletions(-)
> > 
> > diff --git a/drivers/dma/dma-jz4780.c b/drivers/dma/dma-jz4780.c
> > index 448f663da89c..5cbc8c3bd6c7 100644
> > --- a/drivers/dma/dma-jz4780.c
> > +++ b/drivers/dma/dma-jz4780.c
> > @@ -879,28 +879,6 @@ static int jz4780_dma_probe(struct platform_device
> > *pdev)
> >  		return -EINVAL;
> >  	}
> > 
> > -	ret = platform_get_irq(pdev, 0);
> > -	if (ret < 0)
> > -		return ret;
> > -
> > -	jzdma->irq = ret;
> > -
> > -	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0,
> > dev_name(dev),
> > -			  jzdma);
> > -	if (ret) {
> > -		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
> > -		return ret;
> > -	}
> > -
> > -	jzdma->clk = devm_clk_get(dev, NULL);
> > -	if (IS_ERR(jzdma->clk)) {
> > -		dev_err(dev, "failed to get clock\n");
> > -		ret = PTR_ERR(jzdma->clk);
> > -		goto err_free_irq;
> > -	}
> > -
> > -	clk_prepare_enable(jzdma->clk);
> > -
> >  	/* Property is optional, if it doesn't exist the value will remain 0.
> > */
> >  	of_property_read_u32_index(dev->of_node, "ingenic,reserved-channels",
> >  				   0, &jzdma->chan_reserved);
> > @@ -949,6 +927,28 @@ static int jz4780_dma_probe(struct platform_device
> > *pdev)
> >  		jzchan->vchan.desc_free = jz4780_dma_desc_free;
> >  	}
> > 
> > +	ret = platform_get_irq(pdev, 0);
> > +	if (ret < 0)
> > +		return ret;
> > +
> > +	jzdma->irq = ret;
> > +
> > +	ret = request_irq(jzdma->irq, jz4780_dma_irq_handler, 0,
> > dev_name(dev),
> > +			  jzdma);
> > +	if (ret) {
> > +		dev_err(dev, "failed to request IRQ %u!\n", jzdma->irq);
> > +		return ret;
> > +	}
> > +
> > +	jzdma->clk = devm_clk_get(dev, NULL);
> > +	if (IS_ERR(jzdma->clk)) {
> > +		dev_err(dev, "failed to get clock\n");
> > +		ret = PTR_ERR(jzdma->clk);
> > +		goto err_free_irq;
> > +	}
> > +
> > +	clk_prepare_enable(jzdma->clk);
> > +
> >  	ret = dmaenginem_async_device_register(dd);
> >  	if (ret) {
> >  		dev_err(dev, "failed to register device\n");
> > --
> > 2.17.1
> > 
> 
> 

Re: [PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[Lars-Peter Clausen]

On 8/20/20 1:59 PM, Paul Cercueil wrote:
> Hi,
>
> Le dim. 16 août 2020 à 12:52, madhuparnabhowmik10@gmail.com a écrit :
>> From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
>>
>> In probe IRQ is requested before zchan->id is initialized which can be
>> read in the irq handler. Hence, shift request irq and enable clock after
>> other initializations complete. Here, enable clock part is not part of
>> the race, it is just shifted down after request_irq to keep the error
>> path same as before.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
>
> I don't think there is a race at all, the interrupt handler won't be 
> called before the DMA is registered.
>
 From a purely formal verification perspective there is a bug. The 
interrupt could fire if i.e. the hardware is buggy or something. In 
general it is a good idea to not request the IRQ until all the resources 
that are used in the interrupt handler are properly set up. Even if you 
know that in practice the interrupt will never fire this early.

Re: [PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[Paul Cercueil]

Le jeu. 20 août 2020 à 20:23, Lars-Peter Clausen <lars@metafoo.de> a 
écrit :
> On 8/20/20 1:59 PM, Paul Cercueil wrote:
>> Hi,
>> 
>> Le dim. 16 août 2020 à 12:52, madhuparnabhowmik10@gmail.com a 
>> écrit :
>>> From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
>>> 
>>> In probe IRQ is requested before zchan->id is initialized which can 
>>> be
>>> read in the irq handler. Hence, shift request irq and enable clock 
>>> after
>>> other initializations complete. Here, enable clock part is not part 
>>> of
>>> the race, it is just shifted down after request_irq to keep the 
>>> error
>>> path same as before.
>>> 
>>> Found by Linux Driver Verification project (linuxtesting.org).
>>> 
>>> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
>> 
>> I don't think there is a race at all, the interrupt handler won't be 
>> \x7fcalled before the DMA is registered.
>> 
> From a purely formal verification perspective there is a bug. The 
> interrupt could fire if i.e. the hardware is buggy or something. In 
> general it is a good idea to not request the IRQ until all the 
> resources that are used in the interrupt handler are properly set up. 
> Even if you know that in practice the interrupt will never fire this 
> early.
> 

Fair enough, I'm fine with that, but the patch should be reworked so 
that the clk_prepare_enable() call is not moved.

Cheers,
-Paul

Re: [PATCH] drivers/dma/dma-jz4780: Fix race condition between probe and irq handler

[Madhuparna Bhowmik]

On Thu, Aug 20, 2020 at 08:46:43PM +0200, Paul Cercueil wrote:
> 
> 
> Le jeu. 20 août 2020 à 20:23, Lars-Peter Clausen <lars@metafoo.de> a écrit :
> > On 8/20/20 1:59 PM, Paul Cercueil wrote:
> > > Hi,
> > > 
> > > Le dim. 16 août 2020 à 12:52, madhuparnabhowmik10@gmail.com a écrit
> > > :
> > > > From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> > > > 
> > > > In probe IRQ is requested before zchan->id is initialized which
> > > > can be
> > > > read in the irq handler. Hence, shift request irq and enable
> > > > clock after
> > > > other initializations complete. Here, enable clock part is not
> > > > part of
> > > > the race, it is just shifted down after request_irq to keep the
> > > > error
> > > > path same as before.
> > > > 
> > > > Found by Linux Driver Verification project (linuxtesting.org).
> > > > 
> > > > Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
> > > 
> > > I don't think there is a race at all, the interrupt handler won't be
> > > \x7fcalled before the DMA is registered.
> > > 
> > From a purely formal verification perspective there is a bug. The
> > interrupt could fire if i.e. the hardware is buggy or something. In
> > general it is a good idea to not request the IRQ until all the resources
> > that are used in the interrupt handler are properly set up. Even if you
> > know that in practice the interrupt will never fire this early.
> > 
>
> Fair enough, I'm fine with that, but the patch should be reworked so that
> the clk_prepare_enable() call is not moved.
>

Sure, I will send the v2 of the patch with this change soon.

Thanks,
Madhuparna
> Cheers,
> -Paul
> 
>