* [bug report] dmaengine: sun6i: Fix memory leaks
@ 2026-05-12 10:17 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2026-05-12 10:17 UTC (permalink / raw)
To: Maxime Ripard; +Cc: dmaengine, linux-sunxi
Hello Maxime Ripard,
Commit 4fbd804e009a ("dmaengine: sun6i: Fix memory leaks") from Jul
30, 2014 (linux-next), leads to the following Smatch static checker
warning:
drivers/dma/sun6i-dma.c:792 sun6i_dma_prep_slave_sg() error: dereferencing freed memory 'v_lli' (line 793)
drivers/dma/sun6i-dma.c:873 sun6i_dma_prep_dma_cyclic() error: dereferencing freed memory 'v_lli' (line 874)
drivers/dma/sun6i-dma.c
783 dev_dbg(chan2dev(chan), "First: %pad\n", &txd->p_lli);
784 for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
785 p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
786 sun6i_dma_dump_lli(vchan, v_lli, p_lli);
787
788 return vchan_tx_prep(&vchan->vc, &txd->vd, flags);
789
790 err_lli_free:
791 for (p_lli = txd->p_lli, v_lli = txd->v_lli; v_lli;
--> 792 p_lli = v_lli->p_lli_next, v_lli = v_lli->v_lli_next)
^^^^^^^^^^^^^^^^^
This dereferences v_lli to get v_lli->v_lli_next.
793 dma_pool_free(sdev->pool, v_lli, p_lli);
We can't use v_lli after passing it to dma_pool_free(). The
dma_pool_free() changes the the first 16 bytes of v_lli so kind of works
here if you're not concerned about something else re-using it and
introducing a race.
794 kfree(txd);
795 return NULL;
796 }
This email is a free service from the Smatch-CI project [smatch.sf.net].
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-12 10:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-12 10:17 [bug report] dmaengine: sun6i: Fix memory leaks Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.