From: sashiko-bot@kernel.org
To: "Yuanshen Cao" <alex.caoys@gmail.com>
Cc: robh@kernel.org, vkoul@kernel.org, dmaengine@vger.kernel.org,
Frank.Li@kernel.org, linux-sunxi@lists.linux.dev,
conor+dt@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 2/5] dmaengine: sun6i-dma: Add set_addr function pointer for variable address widths
Date: Sun, 21 Jun 2026 21:51:03 +0000 [thread overview]
Message-ID: <20260621215103.EED171F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260621-sun60i-a733-dma-v2-2-340f205891cc@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free during error path cleanup in sun6i_dma_prep_slave_sg and sun6i_dma_prep_dma_cyclic.
--
commit 9bdc9020fe709f46ed0cba2bea4a233b8e23c603
Author: Yuanshen Cao <alex.caoys@gmail.com>
dmaengine: sun6i-dma: Add set_addr function pointer for variable address widths
This commit refactors the sun6i DMA driver by moving the address setting logic
into a function pointer within the configuration structure. This allows
handling of different hardware variations, specifically adding support for
the A733's 32G high-address bits while preserving legacy behavior for
older generations.
> diff --git a/drivers/dma/sun6i-dma.c b/drivers/dma/sun6i-dma.c
> index ef3052c4ab363..9984b9033cbb9 100644
> --- a/drivers/dma/sun6i-dma.c
> +++ b/drivers/dma/sun6i-dma.c
> @@ -138,6 +139,8 @@ struct sun6i_dma_config {
> void (*set_burst_length)(u32 *p_cfg, s8 src_burst, s8 dst_burst);
> void (*set_drq)(u32 *p_cfg, s8 src_drq, s8 dst_drq);
> void (*set_mode)(u32 *p_cfg, s8 src_mode, s8 dst_mode);
> + void (*set_addr)(struct sun6i_dma_dev *sdev, struct sun6i_dma_lli *v_lli,
> + dma_addr_t src, dma_addr_t dst);
> void (*dump_com_regs)(struct sun6i_dma_dev *sdev);
[ ... ]
[Severity: High]
This is a pre-existing issue, but I noticed a potential use-after-free
in the error cleanup paths.
Looking at sun6i_dma_prep_slave_sg():
err_lli_free:
for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
dma_pool_free(sdev->pool, v_lli, p_lli);
Does this loop cause a use-after-free? The dma_pool_free() call frees
v_lli, but the loop increment step then dereferences it via
v_lli = v_lli->v_lli_next.
This exact same pattern also appears in sun6i_dma_prep_dma_cyclic():
err_lli_free:
for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
dma_pool_free(sdev->pool, v_lli, p_lli);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260621-sun60i-a733-dma-v2-0-340f205891cc@gmail.com?part=2
next prev parent reply other threads:[~2026-06-21 21:51 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-21 21:40 [PATCH v2 0/5] dmaengine: sun6i-dma: Add support for Allwinner A733 DMA controller Yuanshen Cao
2026-06-21 21:40 ` [PATCH v2 1/5] dmaengine: sun6i-dma: Refactor to support A733 interrupt and register handling Yuanshen Cao
2026-06-21 21:57 ` sashiko-bot
2026-06-21 22:14 ` Frank Li
2026-06-21 21:40 ` [PATCH v2 2/5] dmaengine: sun6i-dma: Add set_addr function pointer for variable address widths Yuanshen Cao
2026-06-21 21:51 ` sashiko-bot [this message]
2026-06-21 22:16 ` Frank Li
2026-06-21 21:40 ` [PATCH v2 3/5] dmaengine: sun6i-dma: Add num_channels_per_reg for flexible interrupt mapping Yuanshen Cao
2026-06-21 21:55 ` sashiko-bot
2026-06-21 22:18 ` Frank Li
2026-06-21 21:40 ` [PATCH v2 4/5] dt-bindings: dma: sun50i-a64-dma: Add allwinner,sun60i-a733-dma compatible string Yuanshen Cao
2026-06-21 21:52 ` sashiko-bot
2026-06-21 22:19 ` Frank Li
2026-06-21 21:40 ` [PATCH v2 5/5] dmaengine: sun6i-dma: Implement support for Allwinner A733 DMA controller Yuanshen Cao
2026-06-21 21:53 ` sashiko-bot
2026-06-21 22:22 ` Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260621215103.EED171F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=alex.caoys@gmail.com \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.