From: sashiko-bot@kernel.org
To: Frank.Li@oss.nxp.com
Cc: dmaengine@vger.kernel.org, linux-pci@vger.kernel.org,
Frank.Li@kernel.org, vkoul@kernel.org, imx@lists.linux.dev
Subject: Re: [PATCH v6 2/9] dmaengine: Add safe API to combine configuration and preparation
Date: Thu, 21 May 2026 00:01:04 +0000 [thread overview]
Message-ID: <20260521000104.CC1891F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260520-dma_prep_config-v6-2-06e49b7acb38@nxp.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Stack-allocated scatterlist in dmaengine_prep_config_single_safe() leads to use-after-free when consumed asynchronously by DMA drivers.
--
commit 7f280444e5ae16961e6f77cb674cd3ac061779a0
Author: Frank Li <Frank.Li@nxp.com>
dmaengine: Add safe API to combine configuration and preparation
This commit introduces two helpers to combine DMA slave configuration and
transfer preparation atomically. Drivers can either provide a new callback
or the helpers will serialize the operations using a per-channel spinlock.
> diff --git a/include/linux/dmaengine.h b/include/linux/dmaengine.h
> index defa377d2ef54..6fe46c0c94527 100644
> --- a/include/linux/dmaengine.h
> +++ b/include/linux/dmaengine.h
[ ... ]
> +static inline struct dma_async_tx_descriptor *
> +dmaengine_prep_config_single_safe(struct dma_chan *chan, dma_addr_t buf,
> + size_t len, enum dma_transfer_direction dir,
> + unsigned long flags,
> + struct dma_slave_config *config)
> +{
> + struct scatterlist sg;
> +
> + sg_init_table(&sg, 1);
> + sg_dma_address(&sg) = buf;
> + sg_dma_len(&sg) = len;
> +
> + return dmaengine_prep_config_sg_safe(chan, &sg, 1, dir, flags, config);
[Severity: Critical]
Can this lead to a use-after-free if the DMA driver consumes the scatterlist
asynchronously?
The scatterlist sg is allocated on the stack here. While some drivers might
process the scatterlist synchronously during the device_prep_slave_sg or
device_prep_config_sg callbacks, others (such as qdma) may save the sgl
pointer internally to process later during tx_submit or hardware enqueue.
By the time the driver accesses the saved sgl pointer, this function will
have returned and the stack frame will be destroyed.
> +}
> +
> #ifdef CONFIG_RAPIDIO_DMA_ENGINE
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260520-dma_prep_config-v6-0-06e49b7acb38@nxp.com?part=2
next prev parent reply other threads:[~2026-05-21 0:01 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 22:00 [PATCH v6 0/9] dmaengine: Add new API to combine configuration and descriptor preparation Frank.Li
2026-05-20 22:00 ` [PATCH v6 1/9] dmaengine: Add API to combine configuration and preparation (sg and single) Frank.Li
2026-05-20 22:00 ` [PATCH v6 2/9] dmaengine: Add safe API to combine configuration and preparation Frank.Li
2026-05-21 0:01 ` sashiko-bot [this message]
2026-05-21 14:56 ` Frank Li
2026-05-20 22:00 ` [PATCH v6 3/9] PCI: endpoint: pci-epf-test: Use dmaenigne_prep_config_single() to simplify code Frank.Li
2026-05-20 22:00 ` [PATCH v6 4/9] dmaengine: dw-edma: Use new .device_prep_config_sg() callback Frank.Li
2026-05-21 0:31 ` sashiko-bot
2026-05-21 14:59 ` Frank Li
2026-05-20 22:00 ` [PATCH v6 5/9] dmaengine: dw-edma: Pass dma_slave_config to dw_edma_device_transfer() Frank.Li
2026-05-21 0:51 ` sashiko-bot
2026-05-21 15:02 ` Frank Li
2026-05-20 22:00 ` [PATCH v6 6/9] nvmet: pci-epf: Remove unnecessary dmaengine_terminate_sync() on each DMA transfer Frank.Li
2026-05-20 22:00 ` [PATCH v6 7/9] nvmet: pci-epf: Use dmaengine_prep_config_single_safe() API Frank.Li
2026-05-21 1:39 ` sashiko-bot
2026-05-21 15:08 ` Frank Li
2026-05-20 22:00 ` [PATCH v6 8/9] PCI: epf-mhi: Use dmaengine_prep_config_single() to simplify code Frank.Li
2026-05-21 2:08 ` sashiko-bot
2026-05-21 15:09 ` Frank Li
2026-05-20 22:00 ` [PATCH v6 9/9] crypto: atmel: Use dmaengine_prep_config_sg() API Frank.Li
2026-05-21 2:33 ` sashiko-bot
2026-05-21 15:11 ` Frank Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521000104.CC1891F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=Frank.Li@oss.nxp.com \
--cc=dmaengine@vger.kernel.org \
--cc=imx@lists.linux.dev \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox