Re: [PATCH] DMA: PL330: Fix racy mutex unlock

[Jassi Brar]

On 14 June 2012 00:06, Javi Merino <javi.merino@xxxxxxx> wrote:
>
> Ok, the description sucks.  Let me try to describe it with the scenario that
> failed:
>
> Core 0:
> - Two DMA transactions finish, in channels 0 and 1.
> - pl330_update() is called, the "Event-Interrupt Status Register" (ES)
>  is 0x3.
> - In the "for (ev = 0;..." loop
>  + two pointers are stored in pl330->req_done:
>    pl330->channels[0]->req[0] and pl330->channels[1]->req[0]
> - In the "while (!list_empty.." loop,
>  + r = pl330->channels[0]->req[0]->r
>  + Release the pl330_lock and call _callback()
>
> Core 1:
> - pl330_submit_req() for channel 1
> - Grab the pl330_lock
> - Hook a request in pl330->channels[1]->req[0]->r
> - Release the pl330_lock
>
> Core 0:
> - _callback() returns
> - Acquire the pl330_lock again
> - second iteration of "while (!list_empty.." loop,
>  + r = pl330->channels[1]->req[0]->r , but you get the r that has just
>    been scheduled, not the one that finished.
>
Thanks for detailed explanation of the bug.

I see, it's not safe across channels. Another option could be taking
channel's lock in update and submit.

Acked-by: Jassi Brar <jaswinder.singh@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/