From: sashiko-bot@kernel.org
To: "Rosen Penev" <rosenp@gmail.com>
Cc: Frank.Li@kernel.org, vkoul@kernel.org, dmaengine@vger.kernel.org
Subject: Re: [PATCHv3 04/15] dmaengine: fsldma: provide device_release callback
Date: Tue, 09 Jun 2026 22:29:13 +0000 [thread overview]
Message-ID: <20260609222913.E006F1F00898@smtp.kernel.org> (raw)
In-Reply-To: <20260609221926.35538-5-rosenp@gmail.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
New issues:
- [Critical] The patch introduces a double-free of `fdev` and multiple use-after-free (UAF) vulnerabilities during device teardown by leaving explicit cleanup operations in `fsldma_of_remove` after the device might have been freed.
Pre-existing issues:
- [High] Individual DMA channel structures (`struct fsldma_chan`) are unconditionally destroyed in `fsldma_of_remove()`, causing use-after-free and invalid hardware access if dmaengine clients still hold references.
- [High] The driver frees the DMA channel structure without ensuring its associated tasklet is killed, which can lead to a use-after-free if the tasklet executes after the channel is freed.
--
commit f8012bef1fb7e396bca2eeb8a77b04e6cdee7e7c
Author: Rosen Penev <rosenp@gmail.com>
dmaengine: fsldma: provide device_release callback
The DMA core requires drivers to set dma_device.device_release so that
the container structure is only freed after all references to it have
been dropped. This patch allocates fdev with kzalloc_obj, provides the
device_release callback, and saves channel pointers to avoid UAF during
removal.
> diff --git a/drivers/dma/fsldma.c b/drivers/dma/fsldma.c
> index 22d62d958abd9..06a6996a53229 100644
> --- a/drivers/dma/fsldma.c
> +++ b/drivers/dma/fsldma.c
> @@ -1211,6 +1211,8 @@ static void fsl_dma_chan_remove(struct fsldma_chan *chan)
> kfree(chan);
[Severity: High]
This isn't a bug introduced by this patch, but does this code free the DMA
channel structure without ensuring its associated tasklet is stopped?
While fsldma_free_irqs() prevents new hardware interrupts, an interrupt
that fired previously could have scheduled the tasklet. If the tasklet is
pending in the softirq queue, it will execute dma_do_tasklet() after chan
has been freed, resulting in a use-after-free.
Would it make sense to call tasklet_kill(&chan->tasklet) before freeing
the channel?
> }
>
[ ... ]
> @@ -1308,19 +1311,33 @@ static int fsldma_of_probe(struct platform_device *op)
> return err;
> }
>
> +static void fsldma_device_release(struct dma_device *dma_dev)
> +{
> + struct fsldma_device *fdev = container_of(dma_dev, struct fsldma_device,
> + common);
> + kfree(fdev);
> +}
> +
> static void fsldma_of_remove(struct platform_device *op)
> {
> - struct fsldma_device *fdev;
> + struct fsldma_device *fdev = platform_get_drvdata(op);
> + struct fsldma_chan *chans[FSL_DMA_MAX_CHANS_PER_DEVICE];
> unsigned int i;
>
> - fdev = platform_get_drvdata(op);
> - dma_async_device_unregister(&fdev->common);
> + for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++)
> + chans[i] = fdev->chan[i];
>
> fsldma_free_irqs(fdev);
>
> + /*
> + * fdev may be freed by fsldma_device_release inside this call;
> + * use saved copies of the channel pointers afterwards.
> + */
> + dma_async_device_unregister(&fdev->common);
> +
> for (i = 0; i < FSL_DMA_MAX_CHANS_PER_DEVICE; i++) {
> - if (fdev->chan[i])
> - fsl_dma_chan_remove(fdev->chan[i]);
> + if (chans[i])
> + fsl_dma_chan_remove(chans[i]);
[Severity: Critical]
If dma_async_device_unregister() drops the last reference and triggers
fsldma_device_release() to free fdev, does fsl_dma_chan_remove() cause
a use-after-free?
Inside fsl_dma_chan_remove(), list_del(&chan->common.device_node) modifies
the list head linked to fdev->common.channels, which belongs to the newly
freed fdev.
[Severity: High]
This is a pre-existing issue, but does destroying the channel structures
synchronously in fsldma_of_remove() lead to invalid hardware access and
use-after-free if dmaengine clients still hold references?
Since the channel lifetime needs to match the DMA device container, memory
is freed and I/O mapped registers are unmapped here while clients might
still have active references. Could the channel teardown be moved to the
fsldma_device_release() callback instead?
> }
> irq_dispose_mapping(fdev->irq);
[Severity: Critical]
Does accessing fdev->irq here cause a use-after-free if fdev was already
freed by dma_async_device_unregister() earlier in this function?
The unquoted code immediately following this in fsldma_of_remove() also
proceeds to call iounmap(fdev->regs) and kfree(fdev), which appears to
cause a double-free if the release callback already ran.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260609221926.35538-5-rosenp@gmail.com?part=1
next prev parent reply other threads:[~2026-06-09 22:29 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 22:19 [PATCHv3 00/15] dmaengine: fsldma: devm conversion, fixups, and cleanups Rosen Penev
2026-06-09 22:19 ` [PATCHv3 01/15] dmaengine: fsldma: kill tasklet before removing channel Rosen Penev
2026-06-09 22:31 ` sashiko-bot
2026-06-10 1:35 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 02/15] dmaengine: fsldma: drop desc_lock before invoking client callback Rosen Penev
2026-06-09 22:32 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 03/15] dmaengine: fsldma: halt DMA engine before freeing resources Rosen Penev
2026-06-10 2:46 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 04/15] dmaengine: fsldma: provide device_release callback Rosen Penev
2026-06-09 22:29 ` sashiko-bot [this message]
2026-06-09 22:19 ` [PATCHv3 05/15] dmaengine: fsldma: check dma_async_device_register() return value Rosen Penev
2026-06-09 22:29 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 06/15] dmaengine: fsldma: fix probe error path not freeing IRQs Rosen Penev
2026-06-09 22:19 ` [PATCHv3 07/15] dmaengine: fsldma: fix request_irqs unwind freeing unregistered IRQ Rosen Penev
2026-06-09 22:28 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 08/15] dmaengine: fsldma: convert to platform_get_irq_optional() Rosen Penev
2026-06-10 2:58 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 09/15] dmaengine: fsldma: use devm for kzalloc() Rosen Penev
2026-06-10 1:57 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 10/15] dmaengine: fsldma: use devm_platform_ioremap_resource() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 11/15] dmaengine: fsldma: convert channel allocation to devm_kzalloc() Rosen Penev
2026-06-09 22:19 ` [PATCHv3 12/15] dmaengine: fsldma: use devm for of_iomap() Rosen Penev
2026-06-10 1:53 ` Frank Li
2026-06-09 22:19 ` [PATCHv3 13/15] dmaengine: fsldma: replace irq_of_parse_and_map with of_irq_get Rosen Penev
2026-06-09 22:36 ` sashiko-bot
2026-06-09 22:19 ` [PATCHv3 14/15] dmaengine: fsldma: replace ppc-specific accessors with portable generic ones Rosen Penev
2026-06-09 22:19 ` [PATCHv3 15/15] dmaengine: fsldma: fix kernel-doc param names to match function signatures Rosen Penev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260609222913.E006F1F00898@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=Frank.Li@kernel.org \
--cc=dmaengine@vger.kernel.org \
--cc=rosenp@gmail.com \
--cc=sashiko-reviews@lists.linux.dev \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox