DMA: PL330: Fix racy mutex unlock
authorJavi Merino <javi.merino@arm.com>
Wed, 13 Jun 2012 14:07:00 +0000 (15:07 +0100)
committerVinod Koul <vinod.koul@linux.intel.com>
Thu, 14 Jun 2012 03:09:52 +0000 (08:39 +0530)
commitfdec53d5203ee3d44be7c09d1524e3a6287d46a7
tree75a88e99e26cce699c00ce95fb323dfc0e0ada1f
parent5a67ac572e102f7d877b8a3a18a59315186e3e99
DMA: PL330: Fix racy mutex unlock

pl330_update() stores a pointer to the thrd->req that finished, which
contains a pointer to the corresponding pl330_req.  This is done with
the pl330_lock held.  Then, it iterates through the req_done list,
calling the callback for each of the requests that are done.  The
problem is that the driver releases the lock before calling the
callback for each of the callbacks.  pl330_submit_req() running in
another processor can then acquire the lock and insert another request
in one of the thrd->req that hasn't been processed yet, replacing the
pointer to pl330_req there.  When the callback returns in
pl330_update() and the next rqdone is popped from the list, it
dereferences the pl330_req pointer to the just scheduled pl330_req,
instead of the one that has finished, calling pl330 with the wrong r.

This patch fixes this by storing the pointer to pl330_req directly in
the list.

Signed-off-by: Javi Merino <javi.merino@arm.com>
Cc: Jassi Brar <jaswinder.singh@linaro.org>
Acked-by: Jassi Brar <jaswinder.singh@linaro.org>
Signed-off-by: Vinod Koul <vinod.koul@linux.intel.com>
drivers/dma/pl330.c