From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2ED814028CA for ; Tue, 19 May 2026 14:00:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779199227; cv=none; b=VDEZXHa9UmIz2+/yFiIUCEbNd5cu6if95kKOTYXp86xj2QdZzE9uv6V3/zksBnya9gyOG8vfAtFZENPtkP4DgaBasYOAbr5KPhM87bXMBP49fvTnGKav7fMO9yTAKSTBSNecJEQ3xXWZsoWYOX25gHZLAvukZLxzEOqiTHaXlTI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779199227; c=relaxed/simple; bh=Lkv4FkzYe52kJzX0OJux4qOxTKCc69EBDWVrPfeRBow=; h=From:Subject:To:Cc:In-Reply-To:References:Content-Type:Date: Message-Id; b=b3ELdNiGRkpqoailNXCB3kKjJ716S6mUVcOpFHUeRGCxWzusy1wh+xZ6UYDc2VYEG4J3EGqSANtJlZGi/w1WAAVii6lW6qVjA5CIdFb+901bXNwHVgcf8icYACTIxGSoPRdK95Z4O4Z9GjXHrf1RETX2FvAxUwRQNF9ebytPtvI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ekP+CaB0; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ekP+CaB0" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 76DA9C2BCC7; Tue, 19 May 2026 14:00:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1779199226; bh=Lkv4FkzYe52kJzX0OJux4qOxTKCc69EBDWVrPfeRBow=; h=From:Subject:Reply-To:To:Cc:In-Reply-To:References:Date:From; b=ekP+CaB0VZaNHcAeB99l6ZmUWJYE+JNjU53HGr0Rri1Qa4xyji3IzLCfhBonZCGN1 12c6xRFmOkELAaYvHIz4aiOHkkjD8hmXPBZntm1zEyUjv3BKeNT8oDqEOFPyWWXS7Z pf7ZGX94IP1zOSDQkZUBIaGZYnLTWr36V5UChB2Olj/qHUJDU1MQSD0bRi+ip/zhFg rMuPqkqJt7QJJKauyrJmIESsDyM15FWmpUsahgt8LqsmDADkzC77lYuX92mvseA1FZ CvTe92p9qZwxcARs9c6pzdnVrfPd0lp4nvpf+SZ8zTrZOjCZCmhmk5gJCQ1cGkWhnf TirexE9QEbsxg== From: sashiko-bot@kernel.org Subject: Re: [PATCH v17 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Reply-To: sashiko-reviews@lists.linux.dev To: "Bartosz Golaszewski" Cc: dmaengine@vger.kernel.org, vkoul@kernel.org, Frank.Li@kernel.org In-Reply-To: <20260519-qcom-qce-cmd-descr-v17-11-53a595414b79@oss.qualcomm.com> References: <20260519-qcom-qce-cmd-descr-v17-11-53a595414b79@oss.qualcomm.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Tue, 19 May 2026 14:00:25 +0000 Message-Id: <20260519140026.76DA9C2BCC7@smtp.kernel.org> Precedence: bulk X-Mailing-List: dmaengine@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Thank you for your contribution! Sashiko AI review found 1 potential issue(= s) to consider: - [Critical] Missing explicit DMA channel termination during devres unbind = causes Use-After-Free and Memory Corruption. -- commit 70443e1ff257db05490919ac891065820eb4d755 Author: Bartosz Golaszewski crypto: qce - Use existing devres APIs in devm_qce_dma_request() This commit switches the DMA channel requests and memory allocation to use devres APIs, allowing the removal of explicit error handling and cleanup routines. > diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c > index c29b0abe94453..3db46fc0c419a 100644 > --- a/drivers/crypto/qce/dma.c > +++ b/drivers/crypto/qce/dma.c [ ... ] > @@ -12,47 +12,26 @@ > =20 > #define QCE_IGNORE_BUF_SZ (2 * QCE_BAM_BURST_SIZE) > =20 > -static void qce_dma_release(void *data) > -{ > - struct qce_dma_data *dma =3D data; > - > - dma_release_channel(dma->txchan); > - dma_release_channel(dma->rxchan); > - kfree(dma->result_buf); > -} > - > int devm_qce_dma_request(struct qce_device *qce) > { > struct qce_dma_data *dma =3D &qce->dma; > struct device *dev =3D qce->dev; > - int ret; > =20 > - dma->txchan =3D dma_request_chan(dev, "tx"); > + dma->result_buf =3D devm_kmalloc(dev, QCE_RESULT_BUF_SZ + QCE_IGNORE_BU= F_SZ, GFP_KERNEL); > + if (!dma->result_buf) > + return -ENOMEM; > + > + dma->txchan =3D devm_dma_request_chan(dev, "tx"); > if (IS_ERR(dma->txchan)) > return dev_err_probe(dev, PTR_ERR(dma->txchan), > "Failed to get TX DMA channel\n"); > =20 > - dma->rxchan =3D dma_request_chan(dev, "rx"); > + dma->rxchan =3D devm_dma_request_chan(dev, "rx"); Does relying solely on devres for cleanup leave active DMA transfers running during device unbind? While this code simplifies the cleanup path, devres will automatically free result_buf and release the DMA channels during unbind. However, releasing an active DMA channel without first calling dmaengine_terminate_sync() violates the dmaengine API. If an unbind occurs while a transfer is in progress, could the hardware continue writing to the newly freed dma->result_buf and corrupt memory? Additionally, the work cancellation routine (qce_cancel_work) is registered via devres after these DMA channels are requested. Since devres unwinds in LIFO order, the work is canceled before the DMA channels are released. If a running DMA transfer completes right after qce_cancel_work finishes, could the DMA completion callback execute and unconditionally call schedule_work(= )? Since the work cancelation phase has already passed, this newly scheduled work would not be canceled, potentially leading to a use-after-free when devres proceeds to free the qce structure. > + if (IS_ERR(dma->rxchan)) > + return dev_err_probe(dev, PTR_ERR(dma->rxchan), > + "Failed to get RX DMA channel\n"); [ ... ] --=20 Sashiko AI review =C2=B7 https://sashiko.dev/#/patchset/20260519-qcom-qce-c= md-descr-v17-0-53a595414b79@oss.qualcomm.com?part=3D11