From: sashiko-bot@kernel.org
To: "Claudiu Beznea" <claudiu.beznea.uj@bp.renesas.com>
Cc: vkoul@kernel.org, dmaengine@vger.kernel.org,
wsa+renesas@sang-engineering.com, Frank.Li@kernel.org
Subject: Re: [PATCH v5 02/17] dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry()
Date: Wed, 13 May 2026 22:00:06 +0000 [thread overview]
Message-ID: <20260513220006.A80A4C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512121219.216159-3-claudiu.beznea.uj@bp.renesas.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Prematurely returning 0 when `ld_active` is empty skips searching `ld_queue`, falsely reporting queued descriptors as `DMA_COMPLETE`.
--
commit e2ab802dbc50a8c1bda80f9138ff1923d4e471e9
Author: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry()
This commit replaces list_first_entry() with list_first_entry_or_null()
when retrieving the active descriptor to avoid dereferencing invalid
memory when the list is empty.
> diff --git a/drivers/dma/sh/rz-dmac.c b/drivers/dma/sh/rz-dmac.c
> index 9f206a33dcc6b..6d80cb668957f 100644
> --- a/drivers/dma/sh/rz-dmac.c
> +++ b/drivers/dma/sh/rz-dmac.c
> @@ -723,8 +723,8 @@ static u32 rz_dmac_chan_get_residue(struct rz_dmac_chan *channel,
> u32 crla, crtb, i;
>
> /* Get current processing virtual descriptor */
> - current_desc = list_first_entry(&channel->ld_active,
> - struct rz_dmac_desc, node);
> + current_desc = list_first_entry_or_null(&channel->ld_active,
> + struct rz_dmac_desc, node);
> if (!current_desc)
> return 0;
If a client queries the status of a pending transfer before it starts,
channel->ld_active will be empty.
Does returning 0 here bypass the subsequent search of channel->ld_queue?
If the search of channel->ld_queue is skipped, will rz_dmac_tx_status()
erroneously override the status and report it as complete for an unstarted
transfer?
Could this regression cause clients to prematurely free memory buffers and
lead to a use-after-free when the hardware later executes the transfer?
Prior to this patch, the out-of-bounds pointer from list_first_entry()
bypassed the early return, resulting in a garbage cookie value that typically
didn't match the requested cookie.
The logic would then safely fall through, correctly search channel->ld_queue,
and return desc->len for pending transfers.
Commit 42ad33b3ab87bf57f49fbcb8d0351a26fc1ff69d ("dmaengine: sh: rz-dmac: Use
virt-dma APIs for channel descriptor processing") later refactors descriptor
processing and handles the residue calculation via vchan_find_desc(), which
resolves this issue.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512121219.216159-1-claudiu.beznea.uj@bp.renesas.com?part=2
next prev parent reply other threads:[~2026-05-13 22:00 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 12:12 [PATCH v5 00/17] Renesas: dmaengine and ASoC fixes Claudiu Beznea
2026-05-12 12:12 ` [PATCH v5 01/17] dmaengine: sh: rz-dmac: Move interrupt request after everything is set up Claudiu Beznea
2026-05-12 20:28 ` Frank Li
2026-05-13 21:44 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 02/17] dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry() Claudiu Beznea
2026-05-12 20:35 ` Frank Li
2026-05-13 13:31 ` Claudiu Beznea
2026-05-13 22:00 ` sashiko-bot [this message]
2026-05-12 12:12 ` [PATCH v5 03/17] dmaengine: sh: rz-dmac: Use list_first_entry_or_null() Claudiu Beznea
2026-05-12 20:38 ` Frank Li
2026-05-13 22:18 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 04/17] dmaengine: sh: rz-dmac: Use rz_dmac_disable_hw() Claudiu Beznea
2026-05-12 20:42 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 05/17] dmaengine: sh: rz-dmac: Add helper to compute the lmdesc address Claudiu Beznea
2026-05-12 20:44 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 06/17] dmaengine: sh: rz-dmac: Save the start LM descriptor Claudiu Beznea
2026-05-12 20:48 ` Frank Li
2026-05-13 13:33 ` Claudiu Beznea
2026-05-13 23:52 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 07/17] dmaengine: sh: rz-dmac: Add helper to check if the channel is enabled Claudiu Beznea
2026-05-12 20:49 ` Frank Li
2026-05-13 23:59 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 08/17] dmaengine: sh: rz-dmac: Add helper to check if the channel is paused Claudiu Beznea
2026-05-12 20:57 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 09/17] dmaengine: sh: rz-dmac: Use virt-dma APIs for channel descriptor processing Claudiu Beznea
2026-05-12 21:38 ` Frank Li
2026-05-13 13:34 ` Claudiu Beznea
2026-05-14 0:42 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 10/17] dmaengine: sh: rz-dmac: Refactor pause/resume code Claudiu Beznea
2026-05-12 21:43 ` Frank Li
2026-05-13 13:35 ` Claudiu Beznea
2026-05-14 0:57 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 11/17] dmaengine: sh: rz-dmac: Drop the update of channel->chctrl with CHCTRL_SETEN Claudiu Beznea
2026-05-12 21:55 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 12/17] dmaengine: sh: rz-dmac: Add cyclic DMA support Claudiu Beznea
2026-05-12 22:00 ` Frank Li
2026-05-13 13:38 ` Claudiu Beznea
2026-05-14 1:43 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 13/17] dmaengine: sh: rz-dmac: Add runtime PM support Claudiu Beznea
2026-05-12 22:03 ` Frank Li
2026-05-13 13:39 ` Claudiu Beznea
2026-05-13 19:56 ` Frank Li
2026-05-14 9:20 ` Claudiu Beznea
2026-05-14 2:08 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 14/17] dmaengine: sh: rz-dmac: Add suspend to RAM support Claudiu Beznea
2026-05-14 3:04 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 15/17] ASoC: renesas: rz-ssi: Add pause support Claudiu Beznea
2026-05-14 3:54 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 16/17] ASoC: renesas: rz-ssi: Use generic PCM dmaengine APIs Claudiu Beznea
2026-05-14 4:52 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 17/17] dmaengine: sh: rz-dmac: Set the Link End (LE) bit on the last descriptor Claudiu Beznea
2026-05-14 5:22 ` sashiko-bot
2026-05-15 8:44 ` [PATCH v5 00/17] Renesas: dmaengine and ASoC fixes John Madieu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513220006.A80A4C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=claudiu.beznea.uj@bp.renesas.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.