All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <error27@gmail.com>
To: Maxime Ripard <mripard@kernel.org>
Cc: dmaengine@vger.kernel.org, linux-sunxi@lists.linux.dev
Subject: [bug report] dmaengine: sun6i: Fix memory leaks
Date: Tue, 12 May 2026 13:17:21 +0300	[thread overview]
Message-ID: <agL-MYGNzC278bNc@stanley.mountain> (raw)

Hello Maxime Ripard,

Commit 4fbd804e009a ("dmaengine: sun6i: Fix memory leaks") from Jul
30, 2014 (linux-next), leads to the following Smatch static checker
warning:

drivers/dma/sun6i-dma.c:792 sun6i_dma_prep_slave_sg() error: dereferencing freed memory 'v_lli' (line 793)
drivers/dma/sun6i-dma.c:873 sun6i_dma_prep_dma_cyclic() error: dereferencing freed memory 'v_lli' (line 874)

drivers/dma/sun6i-dma.c
    783         dev_dbg(chan2dev(chan), "First: %pad\n", &txd->p_lli);
    784         for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
    785              p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
    786                 sun6i_dma_dump_lli(vchan, v_lli, p_lli);
    787 
    788         return vchan_tx_prep(&vchan->vc, &txd->vd, flags);
    789 
    790 err_lli_free:
    791         for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
--> 792              p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
                                                        ^^^^^^^^^^^^^^^^^
This dereferences v_lli to get v_lli->v_lli_next.

    793                 dma_pool_free(sdev->pool, v_lli, p_lli);

We can't use v_lli after passing it to dma_pool_free(). The
dma_pool_free() changes the the first 16 bytes of v_lli so kind of works
here if you're not concerned about something else re-using it and
introducing a race.

    794         kfree(txd);
    795         return NULL;
    796 }

This email is a free service from the Smatch-CI project [smatch.sf.net].

regards,
dan carpenter

                 reply	other threads:[~2026-05-12 10:17 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=agL-MYGNzC278bNc@stanley.mountain \
    --to=error27@gmail.com \
    --cc=dmaengine@vger.kernel.org \
    --cc=linux-sunxi@lists.linux.dev \
    --cc=mripard@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.