From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
To: gregkh@linuxfoundation.org
Cc: hemantk@codeaurora.org, bbhatt@codeaurora.org,
linux-arm-msm@vger.kernel.org, jhugo@codeaurora.org,
linux-kernel@vger.kernel.org, loic.poulain@linaro.org,
kvalo@codeaurora.org, ath11k@lists.infradead.org,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Subject: [PATCH 1/1] mhi: Fix double dma free
Date: Wed, 10 Feb 2021 13:55:38 +0530 [thread overview]
Message-ID: <20210210082538.2494-2-manivannan.sadhasivam@linaro.org> (raw)
In-Reply-To: <20210210082538.2494-1-manivannan.sadhasivam@linaro.org>
From: Loic Poulain <loic.poulain@linaro.org>
mhi_deinit_chan_ctxt functionthat takes care of unitializing channel
resources, including unmapping coherent MHI areas, can be called
from different path in case of controller unregistering/removal:
- From a client driver remove callback, via mhi_unprepare_channel
- From mhi_driver_remove that unitialize all channels
mhi_driver_remove()
|-> driver->remove()
| |-> mhi_unprepare_channel()
| |-> mhi_deinit_chan_ctxt()
|...
|-> mhi_deinit_chan_ctxt()
This leads to double dma freeing...
Fix that by preventing deinit for already uninitialized channel.
Fixes: a7f422f2f89e ("bus: mhi: Fix channel close issue on driver remove")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Reported-by: Kalle Valo <kvalo@codeaurora.org>
Tested-by: Kalle Valo <kvalo@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1612894264-15956-1-git-send-email-loic.poulain@linaro.org
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
---
drivers/bus/mhi/core/init.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bus/mhi/core/init.c b/drivers/bus/mhi/core/init.c
index aa575d3fb3ae..be4eebb0971b 100644
--- a/drivers/bus/mhi/core/init.c
+++ b/drivers/bus/mhi/core/init.c
@@ -557,6 +557,9 @@ void mhi_deinit_chan_ctxt(struct mhi_controller *mhi_cntrl,
tre_ring = &mhi_chan->tre_ring;
chan_ctxt = &mhi_cntrl->mhi_ctxt->chan_ctxt[mhi_chan->chan];
+ if (!chan_ctxt->rbase) /* Already uninitialized */
+ return;
+
mhi_free_coherent(mhi_cntrl, tre_ring->alloc_size,
tre_ring->pre_aligned, tre_ring->dma_handle);
vfree(buf_ring->base);
--
2.25.1
WARNING: multiple messages have this Message-ID (diff)
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
To: gregkh@linuxfoundation.org
Cc: loic.poulain@linaro.org, jhugo@codeaurora.org,
linux-arm-msm@vger.kernel.org, bbhatt@codeaurora.org,
linux-kernel@vger.kernel.org,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>,
hemantk@codeaurora.org, ath11k@lists.infradead.org,
kvalo@codeaurora.org
Subject: [PATCH 1/1] mhi: Fix double dma free
Date: Wed, 10 Feb 2021 13:55:38 +0530 [thread overview]
Message-ID: <20210210082538.2494-2-manivannan.sadhasivam@linaro.org> (raw)
In-Reply-To: <20210210082538.2494-1-manivannan.sadhasivam@linaro.org>
From: Loic Poulain <loic.poulain@linaro.org>
mhi_deinit_chan_ctxt functionthat takes care of unitializing channel
resources, including unmapping coherent MHI areas, can be called
from different path in case of controller unregistering/removal:
- From a client driver remove callback, via mhi_unprepare_channel
- From mhi_driver_remove that unitialize all channels
mhi_driver_remove()
|-> driver->remove()
| |-> mhi_unprepare_channel()
| |-> mhi_deinit_chan_ctxt()
|...
|-> mhi_deinit_chan_ctxt()
This leads to double dma freeing...
Fix that by preventing deinit for already uninitialized channel.
Fixes: a7f422f2f89e ("bus: mhi: Fix channel close issue on driver remove")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Reported-by: Kalle Valo <kvalo@codeaurora.org>
Tested-by: Kalle Valo <kvalo@codeaurora.org>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1612894264-15956-1-git-send-email-loic.poulain@linaro.org
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
---
drivers/bus/mhi/core/init.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/bus/mhi/core/init.c b/drivers/bus/mhi/core/init.c
index aa575d3fb3ae..be4eebb0971b 100644
--- a/drivers/bus/mhi/core/init.c
+++ b/drivers/bus/mhi/core/init.c
@@ -557,6 +557,9 @@ void mhi_deinit_chan_ctxt(struct mhi_controller *mhi_cntrl,
tre_ring = &mhi_chan->tre_ring;
chan_ctxt = &mhi_cntrl->mhi_ctxt->chan_ctxt[mhi_chan->chan];
+ if (!chan_ctxt->rbase) /* Already uninitialized */
+ return;
+
mhi_free_coherent(mhi_cntrl, tre_ring->alloc_size,
tre_ring->pre_aligned, tre_ring->dma_handle);
vfree(buf_ring->base);
--
2.25.1
--
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
next prev parent reply other threads:[~2021-02-10 8:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-10 8:25 [PATCH 0/1] MHI fix for v5.12 Manivannan Sadhasivam
2021-02-10 8:25 ` Manivannan Sadhasivam
2021-02-10 8:25 ` Manivannan Sadhasivam [this message]
2021-02-10 8:25 ` [PATCH 1/1] mhi: Fix double dma free Manivannan Sadhasivam
2021-02-10 17:45 ` Bhaumik Bhatt
2021-02-10 17:45 ` Bhaumik Bhatt
2021-03-01 19:59 ` [PATCH 0/1] MHI fix for v5.12 patchwork-bot+linux-arm-msm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210210082538.2494-2-manivannan.sadhasivam@linaro.org \
--to=manivannan.sadhasivam@linaro.org \
--cc=ath11k@lists.infradead.org \
--cc=bbhatt@codeaurora.org \
--cc=gregkh@linuxfoundation.org \
--cc=hemantk@codeaurora.org \
--cc=jhugo@codeaurora.org \
--cc=kvalo@codeaurora.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=loic.poulain@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.