From: sashiko-bot@kernel.org
To: "Claudiu Beznea" <claudiu.beznea.uj@bp.renesas.com>
Cc: vkoul@kernel.org, dmaengine@vger.kernel.org,
wsa+renesas@sang-engineering.com, Frank.Li@kernel.org
Subject: Re: [PATCH v5 02/17] dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry()
Date: Wed, 13 May 2026 22:00:06 +0000 [thread overview]
Message-ID: <20260513220006.A80A4C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260512121219.216159-3-claudiu.beznea.uj@bp.renesas.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Prematurely returning 0 when `ld_active` is empty skips searching `ld_queue`, falsely reporting queued descriptors as `DMA_COMPLETE`.
--
commit e2ab802dbc50a8c1bda80f9138ff1923d4e471e9
Author: Claudiu Beznea <claudiu.beznea.uj@bp.renesas.com>
dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry()
This commit replaces list_first_entry() with list_first_entry_or_null()
when retrieving the active descriptor to avoid dereferencing invalid
memory when the list is empty.
> diff --git a/drivers/dma/sh/rz-dmac.c b/drivers/dma/sh/rz-dmac.c
> index 9f206a33dcc6b..6d80cb668957f 100644
> --- a/drivers/dma/sh/rz-dmac.c
> +++ b/drivers/dma/sh/rz-dmac.c
> @@ -723,8 +723,8 @@ static u32 rz_dmac_chan_get_residue(struct rz_dmac_chan *channel,
> u32 crla, crtb, i;
>
> /* Get current processing virtual descriptor */
> - current_desc = list_first_entry(&channel->ld_active,
> - struct rz_dmac_desc, node);
> + current_desc = list_first_entry_or_null(&channel->ld_active,
> + struct rz_dmac_desc, node);
> if (!current_desc)
> return 0;
If a client queries the status of a pending transfer before it starts,
channel->ld_active will be empty.
Does returning 0 here bypass the subsequent search of channel->ld_queue?
If the search of channel->ld_queue is skipped, will rz_dmac_tx_status()
erroneously override the status and report it as complete for an unstarted
transfer?
Could this regression cause clients to prematurely free memory buffers and
lead to a use-after-free when the hardware later executes the transfer?
Prior to this patch, the out-of-bounds pointer from list_first_entry()
bypassed the early return, resulting in a garbage cookie value that typically
didn't match the requested cookie.
The logic would then safely fall through, correctly search channel->ld_queue,
and return desc->len for pending transfers.
Commit 42ad33b3ab87bf57f49fbcb8d0351a26fc1ff69d ("dmaengine: sh: rz-dmac: Use
virt-dma APIs for channel descriptor processing") later refactors descriptor
processing and handles the residue calculation via vchan_find_desc(), which
resolves this issue.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260512121219.216159-1-claudiu.beznea.uj@bp.renesas.com?part=2
next prev parent reply other threads:[~2026-05-13 22:00 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-12 12:12 [PATCH v5 00/17] Renesas: dmaengine and ASoC fixes Claudiu Beznea
2026-05-12 12:12 ` [PATCH v5 01/17] dmaengine: sh: rz-dmac: Move interrupt request after everything is set up Claudiu Beznea
2026-05-12 20:28 ` Frank Li
2026-05-13 21:44 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 02/17] dmaengine: sh: rz-dmac: Fix incorrect NULL check on list_first_entry() Claudiu Beznea
2026-05-12 20:35 ` Frank Li
2026-05-13 13:31 ` Claudiu Beznea
2026-05-13 22:00 ` sashiko-bot [this message]
2026-05-12 12:12 ` [PATCH v5 03/17] dmaengine: sh: rz-dmac: Use list_first_entry_or_null() Claudiu Beznea
2026-05-12 20:38 ` Frank Li
2026-05-13 22:18 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 04/17] dmaengine: sh: rz-dmac: Use rz_dmac_disable_hw() Claudiu Beznea
2026-05-12 20:42 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 05/17] dmaengine: sh: rz-dmac: Add helper to compute the lmdesc address Claudiu Beznea
2026-05-12 20:44 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 06/17] dmaengine: sh: rz-dmac: Save the start LM descriptor Claudiu Beznea
2026-05-12 20:48 ` Frank Li
2026-05-13 13:33 ` Claudiu Beznea
2026-05-13 23:52 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 07/17] dmaengine: sh: rz-dmac: Add helper to check if the channel is enabled Claudiu Beznea
2026-05-12 20:49 ` Frank Li
2026-05-13 23:59 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 08/17] dmaengine: sh: rz-dmac: Add helper to check if the channel is paused Claudiu Beznea
2026-05-12 20:57 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 09/17] dmaengine: sh: rz-dmac: Use virt-dma APIs for channel descriptor processing Claudiu Beznea
2026-05-12 21:38 ` Frank Li
2026-05-13 13:34 ` Claudiu Beznea
2026-05-14 0:42 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 10/17] dmaengine: sh: rz-dmac: Refactor pause/resume code Claudiu Beznea
2026-05-12 21:43 ` Frank Li
2026-05-13 13:35 ` Claudiu Beznea
2026-05-14 0:57 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 11/17] dmaengine: sh: rz-dmac: Drop the update of channel->chctrl with CHCTRL_SETEN Claudiu Beznea
2026-05-12 21:55 ` Frank Li
2026-05-12 12:12 ` [PATCH v5 12/17] dmaengine: sh: rz-dmac: Add cyclic DMA support Claudiu Beznea
2026-05-12 22:00 ` Frank Li
2026-05-13 13:38 ` Claudiu Beznea
2026-05-14 1:43 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 13/17] dmaengine: sh: rz-dmac: Add runtime PM support Claudiu Beznea
2026-05-12 22:03 ` Frank Li
2026-05-13 13:39 ` Claudiu Beznea
2026-05-13 19:56 ` Frank Li
2026-05-14 9:20 ` Claudiu Beznea
2026-05-14 2:08 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 14/17] dmaengine: sh: rz-dmac: Add suspend to RAM support Claudiu Beznea
2026-05-14 3:04 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 15/17] ASoC: renesas: rz-ssi: Add pause support Claudiu Beznea
2026-05-14 3:54 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 16/17] ASoC: renesas: rz-ssi: Use generic PCM dmaengine APIs Claudiu Beznea
2026-05-14 4:52 ` sashiko-bot
2026-05-12 12:12 ` [PATCH v5 17/17] dmaengine: sh: rz-dmac: Set the Link End (LE) bit on the last descriptor Claudiu Beznea
2026-05-14 5:22 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513220006.A80A4C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=claudiu.beznea.uj@bp.renesas.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox