On 07-06-26, 10:36, Gavin Li wrote:
> virtio_i2c_complete_reqs() uses wait_for_completion_interruptible() and stops
> waiting when a signal arrives. virtio_i2c_xfer() then frees reqs and the
> per-request DMA bounce buffers while the device may still hold virtqueue
> tokens
> pointing at &reqs[i] and DMA into read bounce buffers. Additionally, when the
> device later completes those requests, virtio_i2c_msg_done() calls complete()
> on freed memory and can corrupt the slab freelist.
>
> Wait uninterruptibly for every completion before freeing reqs. This
> matches how other virtio drivers retain request storage until the device
> completes it. The virtio spec unfortunately does not provide a way to
> cancel an in-flight request, so waiting uninterruptibly is required.
>
> Signed-off-by: Gavin Li <[email protected]>
> ---
> drivers/i2c/busses/i2c-virtio.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
This is a revert of (and maybe better if that is mentioned in the logs):
commit a663b3c47ab1 ("i2c: virtio: Avoid hang by using interruptible completion
wait")
I don't think this is the right approach here. We shouldn't hang the kernel
indefinitely if the other side is dead.
--
viresh
