From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: Frank.Li@kernel.org, vkoul@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCHv3 04/15] dmaengine: fsldma: provide device_release callback
Date: Tue, 09 Jun 2026 22:29:13 +0000 [thread overview]
Message-ID: <20260609222913.E006F1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260609221926.35538-5-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Critical] The patch introduces a double-free of `fdev` and multiple use-after-free (UAF) vulnerabilities during device teardown by leaving explicit cleanup operations in `fsldma_of_remove` after the device might have been freed.
Pre-existing issues:
- [High] Individual DMA channel structures (`struct fsldma_chan`) are unconditionally destroyed in `fsldma_of_remove()`, causing use-after-free and invalid hardware access if dmaengine clients still hold references.
- [High] The driver frees the DMA channel structure without ensuring its associated tasklet is killed, which can lead to a use-after-free if the tasklet executes after the channel is freed.
--
commit f8012bef1fb7e396bca2eeb8a77b04e6cdee7e7c
Author: Rosen Penev <rosenp@gmail.com>
dmaengine: fsldma: provide device_release callback
The DMA core requires drivers to set dma_device.device_release so that
the container structure is only freed after all references to it have
been dropped. This patch allocates fdev with kzalloc_obj, provides the
device_release callback, and saves channel pointers to avoid UAF during
removal.
> diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
> index 22d62d958abd9..06a6996a53229 100644
> --- a/drivers/dma/fsldma.c
> +++ b/drivers/dma/fsldma.c
> @@ -1211,6 +1211,8 @@ static void fsl_dma_chan_remove(struct fsldma_chan *chan)
> kfree(chan);
[Severity: High]
This isn't a bug introduced by this patch, but does this code free the DMA
channel structure without ensuring its associated tasklet is stopped?
While fsldma_free_irqs() prevents new hardware interrupts, an interrupt
that fired previously could have scheduled the tasklet. If the tasklet is
pending in the softirq queue, it will execute dma_do_tasklet() after chan
has been freed, resulting in a use-after-free.
Would it make sense to call tasklet_kill(&chan->tasklet) before freeing
the channel?
> }
>
[ ... ]
> @@ -1308,19 +1311,33 @@ static int fsldma_of_probe(struct platform_device *op)
> return err;
> }
>
> +static void fsldma_device_release(struct dma_device *dma_dev)
> +{
> + struct fsldma_device *fdev = container_of(dma_dev, struct fsldma_device,
> + common);
> + kfree(fdev);
> +}
> +
> static void fsldma_of_remove(struct platform_device *op)
> {
> - struct fsldma_device *fdev;
> + struct fsldma_device *fdev = platform_get_drvdata(op);
> + struct fsldma_chan *chans[FSL_DMA_MAX_CHANS_PER_DEVICE];
> unsigned int i;
>
> - fdev = platform_get_drvdata(op);
> - dma_async_device_unregister(&fdev->common);
> + for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++)
> + chans[i] = fdev->chan[i];
>
> fsldma_free_irqs(fdev);
>
> + /*
> + * fdev may be freed by fsldma_device_release inside this call;
> + * use saved copies of the channel pointers afterwards.
> + */
> + dma_async_device_unregister(&fdev->common);
> +
> for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) {
> - if (fdev->chan[i])
> - fsl_dma_chan_remove(fdev->chan[i]);
> + if (chans[i])
> + fsl_dma_chan_remove(chans[i]);
[Severity: Critical]
If dma_async_device_unregister() drops the last reference and triggers
fsldma_device_release() to free fdev, does fsl_dma_chan_remove() cause
a use-after-free?
Inside fsl_dma_chan_remove(), list_del(&chan->common.device_node) modifies
the list head linked to fdev->common.channels, which belongs to the newly
freed fdev.
[Severity: High]
This is a pre-existing issue, but does destroying the channel structures
synchronously in fsldma_of_remove() lead to invalid hardware access and
use-after-free if dmaengine clients still hold references?
Since the channel lifetime needs to match the DMA device container, memory
is freed and I/O mapped registers are unmapped here while clients might
still have active references. Could the channel teardown be moved to the
fsldma_device_release() callback instead?
> }
> irq_dispose_mapping(fdev->irq);
[Severity: Critical]
Does accessing fdev->irq here cause a use-after-free if fdev was already
freed by dma_async_device_unregister() earlier in this function?
The unquoted code immediately following this in fsldma_of_remove() also
proceeds to call iounmap(fdev->regs) and kfree(fdev), which appears to
cause a double-free if the release callback already ran.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609221926.35538-5-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-06-09 22:29 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 22:19 [PATCHv3 00/15] dmaengine: fsldma: devm conversion, fixups, and cleanups Rosen Penev
2026-06-09 22:19 ` [PATCHv3 01/15] dmaengine: fsldma: kill tasklet before removing channel Rosen Penev
2026-06-09 22:31 ` sashiko-bot
2026-06-10 1:35 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 02/15] dmaengine: fsldma: drop desc_lock before invoking client callback Rosen Penev
2026-06-09 22:32 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 03/15] dmaengine: fsldma: halt DMA engine before freeing resources Rosen Penev
2026-06-10 2:46 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 04/15] dmaengine: fsldma: provide device_release callback Rosen Penev
2026-06-09 22:29 ` sashiko-bot [this message]
2026-06-09 22:19 ` [PATCHv3 05/15] dmaengine: fsldma: check dma_async_device_register() return value Rosen Penev
2026-06-09 22:29 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 06/15] dmaengine: fsldma: fix probe error path not freeing IRQs Rosen Penev
2026-06-09 22:19 ` [PATCHv3 07/15] dmaengine: fsldma: fix request_irqs unwind freeing unregistered IRQ Rosen Penev
2026-06-09 22:28 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 08/15] dmaengine: fsldma: convert to platform_get_irq_optional() Rosen Penev
2026-06-10 2:58 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 09/15] dmaengine: fsldma: use devm for kzalloc() Rosen Penev
2026-06-10 1:57 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 10/15] dmaengine: fsldma: use devm_platform_ioremap_resource() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 11/15] dmaengine: fsldma: convert channel allocation to devm_kzalloc() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 12/15] dmaengine: fsldma: use devm for of_iomap() Rosen Penev
2026-06-10 1:53 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 13/15] dmaengine: fsldma: replace irq_of_parse_and_map with of_irq_get Rosen Penev
2026-06-09 22:36 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 14/15] dmaengine: fsldma: replace ppc-specific accessors with portable generic ones Rosen Penev
2026-06-09 22:19 ` [PATCHv3 15/15] dmaengine: fsldma: fix kernel-doc param names to match function signatures Rosen Penev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609222913.E006F1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.