From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: dmaengine@vger.kernel.org, vkoul@kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v19 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request()
Date: Tue, 26 May 2026 16:09:01 +0000 [thread overview]
Message-ID: <20260526160902.528571F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260526-qcom-qce-cmd-descr-v19-11-08472fdcbf4a@oss.qualcomm.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Invalid explicit cleanup of devm-managed resources causes slab corruption and double-free vulnerabilities.
--
commit 633f351bd909cf49fe67df70c5d1504f4356decf
Author: Bartosz Golaszewski <brgl@kernel.org>
crypto: qce - Use existing devres APIs in devm_qce_dma_request()
This commit switches the explicit dma_request_chan and kmalloc calls to
their devm_* counterparts in devm_qce_dma_request. It also simplifies the
error handling paths and renames the release action.
> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index d60efb5c26d88..c2602d35baa6a 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
> @@ -12,7 +12,7 @@
>
> #define QCE_IGNORE_BUF_SZ (2 * QCE_BAM_BURST_SIZE)
>
> -static void qce_dma_release(void *data)
> +static void qce_dma_terminate(void *data)
> {
> struct qce_dma_data *dma = data;
[Severity: High]
Does qce_dma_terminate() still call kfree(dma->result_buf) and
dma_release_channel() on the DMA channels?
Looking at the unmodified portion of the function:
static void qce_dma_terminate(void *data)
{
struct qce_dma_data *dma = data;
dmaengine_terminate_sync(dma->txchan);
dmaengine_terminate_sync(dma->rxchan);
dma_release_channel(dma->txchan);
dma_release_channel(dma->rxchan);
kfree(dma->result_buf);
}
Since dma->result_buf, dma->txchan, and dma->rxchan are now allocated using
devm_kmalloc() and devm_dma_request_chan() below, won't the devres framework
automatically clean them up during device teardown?
Because devm_add_action_or_reset() adds this callback to the devres list, it
will execute first and manually free these resources. When the devres
framework subsequently cleans up the devm allocations, could this lead to a
double-free and slab corruption?
[ ... ]
> @@ -27,34 +27,22 @@ int devm_qce_dma_request(struct qce_device *qce)
> {
> struct qce_dma_data *dma = &qce->dma;
> struct device *dev = qce->dev;
> - int ret;
>
> - dma->txchan = dma_request_chan(dev, "tx");
> + dma->result_buf = devm_kmalloc(dev, QCE_RESULT_BUF_SZ + QCE_IGNORE_BUF_SZ, GFP_KERNEL);
> + if (!dma->result_buf)
> + return -ENOMEM;
> +
> + dma->txchan = devm_dma_request_chan(dev, "tx");
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260526-qcom-qce-cmd-descr-v19-0-08472fdcbf4a@oss.qualcomm.com?part=11
next prev parent reply other threads:[~2026-05-26 16:09 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 13:10 [PATCH v19 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-05-26 13:45 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-05-26 14:17 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-05-26 15:01 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-05-26 15:33 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-05-26 15:57 ` sashiko-bot
2026-05-26 13:10 ` [PATCH v19 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-05-26 13:10 ` [PATCH v19 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-05-26 16:09 ` sashiko-bot [this message]
2026-05-26 13:11 ` [PATCH v19 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-05-26 16:30 ` sashiko-bot
2026-05-26 13:11 ` [PATCH v19 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-05-26 17:13 ` sashiko-bot
2026-05-26 13:11 ` [PATCH v19 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-05-26 18:20 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526160902.528571F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=bartosz.golaszewski@oss.qualcomm.com \
--cc=dmaengine@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox