From: sashiko-bot@kernel.org
To: "Hongling Zeng" <zenghongling@kylinos.cn>
Cc: Frank.Li@kernel.org, linux-sunxi@lists.linux.dev,
dmaengine@vger.kernel.org, vkoul@kernel.org
Subject: Re: [PATCH v3] dmaengine: sun6i-dma: Fix use-after-free in error handling paths
Date: Tue, 16 Jun 2026 02:43:21 +0000 [thread overview]
Message-ID: <20260616024321.BF6691F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260616023138.15904-1-zenghongling@kylinos.cn>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Memory leak in `sun6i_dma_terminate_all` for active non-cyclic descriptors.
--
commit 81994b3beae8e2aae413048bdddddd1fbb74bec0
Author: Hongling Zeng <zenghongling@kylinos.cn>
dmaengine: sun6i-dma: Fix use-after-free in error handling paths
This patch fixes a use-after-free during the error handling path of
sun6i_dma_prep_slave_sg and sun6i_dma_prep_dma_cyclic. It replaces an
unsafe manual loop traversal with a call to sun6i_dma_free_desc(),
which safely stores the next pointers before freeing the current LLI.
> diff --git a/drivers/dma/sun6i-dma.c b/drivers/dma/sun6i-dma.c
> index a9a254dbf8cb9..7a79f346250a5 100644
> --- a/drivers/dma/sun6i-dma.c
> +++ b/drivers/dma/sun6i-dma.c
[ ... ]
While looking at this driver's descriptor cleanup, I noticed a separate
issue in sun6i_dma_terminate_all():
drivers/dma/sun6i-dma.c:sun6i_dma_terminate_all()
if (vchan->cyclic) {
vchan->cyclic = false;
if (pchan && pchan->desc) {
struct virt_dma_desc *vd = &pchan->desc->vd;
struct virt_dma_chan *vc = &vchan->vc;
list_add_tail(&vd->node, &vc->desc_completed);
}
}
vchan_get_all_descriptors(&vchan->vc, &head);
if (pchan) {
writel(DMA_CHAN_ENABLE_STOP, pchan->base + DMA_CHAN_ENABLE);
writel(DMA_CHAN_PAUSE_RESUME, pchan->base + DMA_CHAN_PAUSE);
vchan->phy = NULL;
pchan->vchan = NULL;
pchan->desc = NULL;
^^^^^^^^^^^^^^^^^^
[Severity: High]
This is a pre-existing issue, but does this leak the active non-cyclic
descriptor?
When a non-cyclic transfer is aborted, pchan->desc is not added to the
desc_completed list (unlike cyclic transfers). Because it was already
removed from the desc_issued list during sun6i_dma_start_desc(),
setting pchan->desc to NULL here seems to permanently orphan the
descriptor and its associated LLIs, leading to a memory leak.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260616023138.15904-1-zenghongling@kylinos.cn?part=1
next prev parent reply other threads:[~2026-06-16 2:43 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-16 2:31 [PATCH v3] dmaengine: sun6i-dma: Fix use-after-free in error handling paths Hongling Zeng
2026-06-16 2:43 ` sashiko-bot [this message]
2026-06-16 16:54 ` Jernej Škrabec
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260616024321.BF6691F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
--cc=zenghongling@kylinos.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.