Re: [PATCH v19 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request()

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Invalid explicit cleanup of devm-managed resources causes slab corruption and double-free vulnerabilities.
--

commit 633f351bd909cf49fe67df70c5d1504f4356decf
Author: Bartosz Golaszewski <brgl@kernel.org>

crypto: qce - Use existing devres APIs in devm_qce_dma_request()

This commit switches the explicit dma_request_chan and kmalloc calls to
their devm_* counterparts in devm_qce_dma_request. It also simplifies the
error handling paths and renames the release action.

> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index d60efb5c26d88..c2602d35baa6a 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
> @@ -12,7 +12,7 @@
>  
>  #define QCE_IGNORE_BUF_SZ		(2 * QCE_BAM_BURST_SIZE)
>  
> -static void qce_dma_release(void *data)
> +static void qce_dma_terminate(void *data)
>  {
>  	struct qce_dma_data *dma = data;

[Severity: High]
Does qce_dma_terminate() still call kfree(dma->result_buf) and
dma_release_channel() on the DMA channels?

Looking at the unmodified portion of the function:

static void qce_dma_terminate(void *data)
{
        struct qce_dma_data *dma = data;

        dmaengine_terminate_sync(dma->txchan);
        dmaengine_terminate_sync(dma->rxchan);
        dma_release_channel(dma->txchan);
        dma_release_channel(dma->rxchan);
        kfree(dma->result_buf);
}

Since dma->result_buf, dma->txchan, and dma->rxchan are now allocated using
devm_kmalloc() and devm_dma_request_chan() below, won't the devres framework
automatically clean them up during device teardown?

Because devm_add_action_or_reset() adds this callback to the devres list, it
will execute first and manually free these resources. When the devres
framework subsequently cleans up the devm allocations, could this lead to a
double-free and slab corruption?

[ ... ]

> @@ -27,34 +27,22 @@ int devm_qce_dma_request(struct qce_device *qce)
>  {
>  	struct qce_dma_data *dma = &qce->dma;
>  	struct device *dev = qce->dev;
> -	int ret;
>  
> -	dma->txchan = dma_request_chan(dev, "tx");
> +	dma->result_buf = devm_kmalloc(dev, QCE_RESULT_BUF_SZ + QCE_IGNORE_BUF_SZ, GFP_KERNEL);
> +	if (!dma->result_buf)
> +		return -ENOMEM;
> +
> +	dma->txchan = devm_dma_request_chan(dev, "tx");

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260526-qcom-qce-cmd-descr-v19-0-08472fdcbf4a@oss.qualcomm.com?part=11