From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: Re: [PATCH v2 3/4] dmaengine: dma-axi-dmac: fix use-after-free on unbind
Date: Mon, 30 Mar 2026 07:40:55 +0800 [thread overview]
Message-ID: <202603300705.jhDfInJk-lkp@intel.com> (raw)
BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
In-Reply-To: <20260327-dma-dmac-handle-vunmap-v2-3-021f95f0e87b@analog.com>
References: <20260327-dma-dmac-handle-vunmap-v2-3-021f95f0e87b@analog.com>
TO: "Nuno Sá via B4 Relay" <devnull+nuno.sa.analog.com@kernel.org>
TO: dmaengine@vger.kernel.org
TO: linux-kernel@vger.kernel.org
CC: "Lars-Peter Clausen" <lars@metafoo.de>
CC: Vinod Koul <vkoul@kernel.org>
CC: Frank Li <Frank.Li@kernel.org>
Hi Nuno,
kernel test robot noticed the following build warnings:
[auto build test WARNING on b7560798466a07d9c3fb011698e92c335ab28baf]
url: https://github.com/intel-lab-lkp/linux/commits/Nuno-S-via-B4-Relay/dmaengine-Fix-possuible-use-after-free/20260329-160000
base: b7560798466a07d9c3fb011698e92c335ab28baf
patch link: https://lore.kernel.org/r/20260327-dma-dmac-handle-vunmap-v2-3-021f95f0e87b%40analog.com
patch subject: [PATCH v2 3/4] dmaengine: dma-axi-dmac: fix use-after-free on unbind
:::::: branch date: 16 hours ago
:::::: commit date: 16 hours ago
config: loongarch-randconfig-r071-20260329 (https://download.01.org/0day-ci/archive/20260330/202603300705.jhDfInJk-lkp@intel.com/config)
compiler: loongarch64-linux-gcc (GCC) 15.2.0
smatch: v0.5.0-9004-gb810ac53
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603300705.jhDfInJk-lkp@intel.com/
smatch warnings:
drivers/dma/dma-axi-dmac.c:1342 axi_dmac_probe() warn: address of NULL pointer 'dmac'
vim +/dmac +1342 drivers/dma/dma-axi-dmac.c
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1231
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1232 static int axi_dmac_probe(struct platform_device *pdev)
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1233 {
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1234 struct dma_device *dma_dev;
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1235 struct axi_dmac *__dmac;
a5b982af953bcc8 Chuhong Yuan 2019-12-09 1236 struct regmap *regmap;
b377e670bac558a Alexandru Ardelean 2020-08-25 1237 unsigned int version;
238f68a08e19a61 Paul Cercueil 2023-12-15 1238 u32 irq_mask = 0;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1239 int ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1240
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1241 struct axi_dmac *dmac __free(kfree) = kzalloc_obj(struct axi_dmac);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1242 if (!dmac)
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1243 return -ENOMEM;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1244
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1245 dmac->irq = platform_get_irq(pdev, 0);
50dc60a25597e10 Lars-Peter Clausen 2016-07-01 1246 if (dmac->irq < 0)
50dc60a25597e10 Lars-Peter Clausen 2016-07-01 1247 return dmac->irq;
50dc60a25597e10 Lars-Peter Clausen 2016-07-01 1248 if (dmac->irq == 0)
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1249 return -EINVAL;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1250
4b23603a251d240 Tudor Ambarus 2022-11-10 1251 dmac->base = devm_platform_ioremap_resource(pdev, 0);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1252 if (IS_ERR(dmac->base))
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1253 return PTR_ERR(dmac->base);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1254
779a44831a4f646 Nuno Sa 2024-03-28 1255 dmac->clk = devm_clk_get_enabled(&pdev->dev, NULL);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1256 if (IS_ERR(dmac->clk))
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1257 return PTR_ERR(dmac->clk);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1258
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1259 version = axi_dmac_read(dmac, ADI_AXI_REG_VERSION);
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1260
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1261 if (version >= ADI_AXI_PCORE_VER(4, 3, 'a'))
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1262 ret = axi_dmac_read_chan_config(&pdev->dev, dmac);
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1263 else
06b6e88c7ecf48e Alexandru Ardelean 2020-08-25 1264 ret = axi_dmac_parse_dt(&pdev->dev, dmac);
78a2f92e4c4a3b7 Alexandru Ardelean 2020-08-25 1265
06b6e88c7ecf48e Alexandru Ardelean 2020-08-25 1266 if (ret < 0)
779a44831a4f646 Nuno Sa 2024-03-28 1267 return ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1268
a88fdece44d40cd Alexandru Ardelean 2020-08-25 1269 INIT_LIST_HEAD(&dmac->chan.active_descs);
a88fdece44d40cd Alexandru Ardelean 2020-08-25 1270
921234e0c5d77b5 Lars-Peter Clausen 2019-03-08 1271 dma_set_max_seg_size(&pdev->dev, UINT_MAX);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1272
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1273 dma_dev = &dmac->dma_dev;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1274 dma_cap_set(DMA_SLAVE, dma_dev->cap_mask);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1275 dma_cap_set(DMA_CYCLIC, dma_dev->cap_mask);
9a05045d2a681d3 Dragos Bogdan 2019-03-26 1276 dma_cap_set(DMA_INTERLEAVE, dma_dev->cap_mask);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1277 dma_dev->device_free_chan_resources = axi_dmac_free_chan_resources;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1278 dma_dev->device_tx_status = dma_cookie_status;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1279 dma_dev->device_issue_pending = axi_dmac_issue_pending;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1280 dma_dev->device_prep_slave_sg = axi_dmac_prep_slave_sg;
74609e5686701ed Paul Cercueil 2024-06-20 1281 dma_dev->device_prep_peripheral_dma_vec = axi_dmac_prep_peripheral_dma_vec;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1282 dma_dev->device_prep_dma_cyclic = axi_dmac_prep_dma_cyclic;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1283 dma_dev->device_prep_interleaved_dma = axi_dmac_prep_interleaved;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1284 dma_dev->device_terminate_all = axi_dmac_terminate_all;
860dd64c4382709 Lars-Peter Clausen 2015-10-20 1285 dma_dev->device_synchronize = axi_dmac_synchronize;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1286 dma_dev->dev = &pdev->dev;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1287 dma_dev->src_addr_widths = BIT(dmac->chan.src_width);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1288 dma_dev->dst_addr_widths = BIT(dmac->chan.dest_width);
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1289 dma_dev->device_release = axi_dmac_release;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1290 dma_dev->directions = BIT(dmac->chan.direction);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1291 dma_dev->residue_granularity = DMA_RESIDUE_GRANULARITY_DESCRIPTOR;
e97dc7435972d28 Paul Cercueil 2023-12-15 1292 dma_dev->max_sg_burst = 31; /* 31 SGs maximum in one burst */
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1293 INIT_LIST_HEAD(&dma_dev->channels);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1294
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1295 dmac->chan.vchan.desc_free = axi_dmac_desc_free;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1296 vchan_init(&dmac->chan.vchan, dma_dev);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1297
b377e670bac558a Alexandru Ardelean 2020-08-25 1298 ret = axi_dmac_detect_caps(dmac, version);
b5d89905d0391de Lars-Peter Clausen 2019-05-16 1299 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1300 return ret;
56009f0d2f54e4c Lars-Peter Clausen 2019-03-26 1301
5b969bd1d9cdfc8 Alexandru Ardelean 2019-05-27 1302 dma_dev->copy_align = (dmac->chan.address_align_mask + 1);
56009f0d2f54e4c Lars-Peter Clausen 2019-03-26 1303
238f68a08e19a61 Paul Cercueil 2023-12-15 1304 if (dmac->chan.hw_sg)
238f68a08e19a61 Paul Cercueil 2023-12-15 1305 irq_mask |= AXI_DMAC_IRQ_SOT;
238f68a08e19a61 Paul Cercueil 2023-12-15 1306
238f68a08e19a61 Paul Cercueil 2023-12-15 1307 axi_dmac_write(dmac, AXI_DMAC_REG_IRQ_MASK, irq_mask);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1308
9327c7e7539371c Mathias Tausen 2022-07-26 1309 if (of_dma_is_coherent(pdev->dev.of_node)) {
9327c7e7539371c Mathias Tausen 2022-07-26 1310 ret = axi_dmac_read(dmac, AXI_DMAC_REG_COHERENCY_DESC);
9327c7e7539371c Mathias Tausen 2022-07-26 1311
9327c7e7539371c Mathias Tausen 2022-07-26 1312 if (version < ADI_AXI_PCORE_VER(4, 4, 'a') ||
9327c7e7539371c Mathias Tausen 2022-07-26 1313 !AXI_DMAC_DST_COHERENT_GET(ret)) {
9327c7e7539371c Mathias Tausen 2022-07-26 1314 dev_err(dmac->dma_dev.dev,
9327c7e7539371c Mathias Tausen 2022-07-26 1315 "Coherent DMA not supported in hardware");
779a44831a4f646 Nuno Sa 2024-03-28 1316 return -EINVAL;
9327c7e7539371c Mathias Tausen 2022-07-26 1317 }
9327c7e7539371c Mathias Tausen 2022-07-26 1318 }
9327c7e7539371c Mathias Tausen 2022-07-26 1319
779a44831a4f646 Nuno Sa 2024-03-28 1320 ret = dmaenginem_async_device_register(dma_dev);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1321 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1322 return ret;
779a44831a4f646 Nuno Sa 2024-03-28 1323
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1324 /*
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1325 * From this point on, our dmac object has it's lifetime bounded with
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1326 * dma_dev. Will be freed when dma_dev refcount goes to 0. That means,
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1327 * no more automatic kfree(). Also note that dmac is now NULL so we
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1328 * need __dmac.
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1329 */
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1330 __dmac = no_free_ptr(dmac);
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1331 get_device(&pdev->dev);
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1332
779a44831a4f646 Nuno Sa 2024-03-28 1333 /*
779a44831a4f646 Nuno Sa 2024-03-28 1334 * Put the action in here so it get's done before unregistering the DMA
779a44831a4f646 Nuno Sa 2024-03-28 1335 * device.
779a44831a4f646 Nuno Sa 2024-03-28 1336 */
779a44831a4f646 Nuno Sa 2024-03-28 1337 ret = devm_add_action_or_reset(&pdev->dev, axi_dmac_tasklet_kill,
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1338 &__dmac->chan.vchan.task);
779a44831a4f646 Nuno Sa 2024-03-28 1339 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1340 return ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1341
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 @1342 ret = of_dma_controller_register(pdev->dev.of_node,
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1343 of_dma_xlate_by_chan_id, dma_dev);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1344 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1345 return ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1346
779a44831a4f646 Nuno Sa 2024-03-28 1347 ret = devm_add_action_or_reset(&pdev->dev, axi_dmac_free_dma_controller,
779a44831a4f646 Nuno Sa 2024-03-28 1348 pdev->dev.of_node);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1349 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1350 return ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1351
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1352 /* So that we can mark the device as unbound and disable it */
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1353 ret = devm_add_action_or_reset(&pdev->dev, axi_dmac_disable, __dmac);
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1354 if (ret)
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1355 return ret;
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1356
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1357 ret = devm_request_irq(&pdev->dev, __dmac->irq, axi_dmac_interrupt_handler,
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1358 IRQF_SHARED, dev_name(&pdev->dev), __dmac);
779a44831a4f646 Nuno Sa 2024-03-28 1359 if (ret)
779a44831a4f646 Nuno Sa 2024-03-28 1360 return ret;
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1361
e6cff0d5c22ce16 Nuno Sá 2026-03-27 1362 regmap = devm_regmap_init_mmio(&pdev->dev, __dmac->base,
a5b982af953bcc8 Chuhong Yuan 2019-12-09 1363 &axi_dmac_regmap_config);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1364
779a44831a4f646 Nuno Sa 2024-03-28 1365 return PTR_ERR_OR_ZERO(regmap);
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1366 }
0e3b67b348b838d Lars-Peter Clausen 2015-08-20 1367
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2026-03-29 23:41 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-29 23:40 kernel test robot [this message]
2026-03-30 14:32 ` [PATCH v2 3/4] dmaengine: dma-axi-dmac: fix use-after-free on unbind Nuno Sá
2026-03-30 14:37 ` Dan Carpenter
-- strict thread matches above, loose matches on Subject: below --
2026-03-27 16:58 [PATCH v2 0/4] dmaengine: dma-axi-dmac: Some memory related fixes Nuno Sá
2026-03-27 16:58 ` [PATCH v2 3/4] dmaengine: dma-axi-dmac: fix use-after-free on unbind Nuno Sá
2026-03-27 16:58 ` Nuno Sá via B4 Relay
2026-03-30 15:22 ` Frank Li
2026-03-31 8:46 ` Nuno Sá
2026-03-31 14:20 ` Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603300705.jhDfInJk-lkp@intel.com \
--to=lkp@intel.com \
--cc=error27@gmail.com \
--cc=oe-kbuild@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.