From: Maoyi Xie <maoyixie.tju@gmail.com>
To: Vinod Koul <vkoul@kernel.org>
Cc: Frank Li <Frank.Li@kernel.org>,
Geert Uytterhoeven <geert+renesas@glider.be>,
dmaengine@vger.kernel.org, linux-renesas-soc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] dmaengine: mpc512x: fix dead empty check in mpc_dma_prep_slave_sg()
Date: Thu, 21 May 2026 22:47:54 +0800 [thread overview]
Message-ID: <20260521144755.3476353-2-maoyixie.tju@gmail.com> (raw)
In-Reply-To: <20260521144755.3476353-1-maoyixie.tju@gmail.com>
mpc_dma_prep_slave_sg() reads mchan->free with list_first_entry()
and then tests the returned pointer against NULL. list_first_entry()
never returns NULL. On an empty free list it returns
container_of(&mchan->free, struct mpc_dma_desc, node), an aliased
pointer derived from the list head. The recovery path (drop lock,
scan completed list, return NULL) is dead code.
If the free list is ever empty here, the aliased mdesc points at
&mchan->free. The list_del(&mdesc->node) that follows then runs on
the head itself, corrupting mchan->free.next and mchan->free.prev.
The free list is reachable empty when the descriptor pool is
exhausted. The author intent was clear from the recovery path:
release the lock, scan the completed list to free descriptors, and
return NULL so the caller can retry.
Use list_first_entry_or_null() so the empty case returns NULL and
the existing recovery path runs as intended.
The same shape has been cleaned up elsewhere, for example in
commit fbb8bc408027 ("net: qed: Remove redundant NULL checks after list_first_entry()"),
commit c708d3fad421 ("crypto: atmel - use list_first_entry_or_null to simplify find_dev"),
and commit 10379171f346 ("ksmbd: use list_first_entry_or_null for opinfo_get_list()").
This site was missed by those cleanups.
Signed-off-by: Maoyi Xie <maoyixie.tju@gmail.com>
---
drivers/dma/mpc512x_dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/mpc512x_dma.c b/drivers/dma/mpc512x_dma.c
index 0adc8e01057e..f5934136efc4 100644
--- a/drivers/dma/mpc512x_dma.c
+++ b/drivers/dma/mpc512x_dma.c
@@ -706,8 +706,8 @@ mpc_dma_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
for_each_sg(sgl, sg, sg_len, i) {
spin_lock_irqsave(&mchan->lock, iflags);
- mdesc = list_first_entry(&mchan->free,
- struct mpc_dma_desc, node);
+ mdesc = list_first_entry_or_null(&mchan->free,
+ struct mpc_dma_desc, node);
if (!mdesc) {
spin_unlock_irqrestore(&mchan->lock, iflags);
/* Try to free completed descriptors */
--
2.34.1
next prev parent reply other threads:[~2026-05-21 14:48 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-21 14:47 [PATCH 0/2] dmaengine: fix dead empty checks in mpc512x and rz-dmac Maoyi Xie
2026-05-21 14:47 ` Maoyi Xie [this message]
2026-05-21 15:42 ` [PATCH 1/2] dmaengine: mpc512x: fix dead empty check in mpc_dma_prep_slave_sg() sashiko-bot
2026-05-21 16:30 ` Frank Li
2026-05-22 15:02 ` [PATCH v2] " Maoyi Xie
2026-05-22 15:23 ` sashiko-bot
2026-05-21 14:47 ` [PATCH 2/2] dmaengine: rz-dmac: fix dead empty check in rz_dmac_chan_get_residue() Maoyi Xie
2026-05-21 16:05 ` sashiko-bot
2026-05-22 8:16 ` Geert Uytterhoeven
2026-05-22 8:37 ` Maoyi Xie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260521144755.3476353-2-maoyixie.tju@gmail.com \
--to=maoyixie.tju@gmail.com \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=geert+renesas@glider.be \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-renesas-soc@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox