Commit 31352811 authored Jan 30, 2023 by Ilpo Järvinen Committed by Greg Kroah-Hartman Jan 31, 2023

serial: 8250_dma: Fix DMA Rx completion race



__dma_rx_complete() is called from two places:
  - Through the DMA completion callback dma_rx_complete()
  - From serial8250_rx_dma_flush() after IIR_RLSI or IIR_RX_TIMEOUT
The former does not hold port's lock during __dma_rx_complete() which
allows these two to race and potentially insert the same data twice.

Extend port's lock coverage in dma_rx_complete() to prevent the race
and check if the DMA Rx is still pending completion before calling
into __dma_rx_complete().

Reported-by: Gilles BULOZ <gilles.buloz@kontron.com>
Tested-by: Gilles BULOZ <gilles.buloz@kontron.com>
Fixes: 9ee4b83e ("serial: 8250: Add support for dmaengine")
Cc: stable@vger.kernel.org
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20230130114841.25749-2-ilpo.jarvinen@linux.intel.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 3f6c02fa

drivers/tty/serial/8250/8250_dma.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -62,9 +62,14 @@ static void dma_rx_complete(void *param)
		struct uart_8250_dma *dma = p->dma;
		unsigned long flags;

		spin_lock_irqsave(&p->port.lock, flags);
		if (dma->rx_running)
		__dma_rx_complete(p);

		spin_lock_irqsave(&p->port.lock, flags);
		/*
		* Cannot be combined with the previous check because __dma_rx_complete()
		* changes dma->rx_running.
		*/
		if (!dma->rx_running && (serial_lsr_in(p) & UART_LSR_DR))
		p->dma->rx_dma(p);
		spin_unlock_irqrestore(&p->port.lock, flags);