[PATCH v2] dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate

DMA Engine development
 help / color / mirror / Atom feed

* [PATCH v2] dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate_all
@ 2026-06-16  6:04 Hongling Zeng
  2026-06-16  6:16 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Hongling Zeng @ 2026-06-16  6:04 UTC (permalink / raw)
  To: vkoul, Frank.Li, wens, jernej.skrabec, samuel, mripard, arnd
  Cc: dmaengine, linux-arm-kernel, linux-sunxi, linux-kernel,
	zhongling0719, Hongling Zeng

When terminating a non-cyclic DMA transfer, the active descriptor
is not properly reclaimed. The descriptor is removed from the
desc_issued list in sun6i_dma_start_desc(), but in
sun6i_dma_terminate_all(), only cyclic transfer descriptors are
added to the desc_completed list before cleanup.

For non-cyclic transfers, pchan->desc is set to NULL without first
adding the descriptor back to a list that vchan_get_all_descriptors()
can collect. This causes the descriptor and its associated LLI chain
to be permanently leaked.

Fix by ensuring both cyclic and non-cyclic active descriptors are
added to the desc_completed list before setting pchan->desc to NULL.

Fixes: 555859308723 ("dmaengine: sun6i: Add driver for the Allwinner A31 DMA controller")
Signed-off-by: Hongling Zeng <zenghongling@kylinos.cn>

---
 Change in v2;
 -Add pchan->desc != pchan->done check to prevent race condition
  where completed descriptors could be double-added to desc_completed
  list, causing list corruption
---
 drivers/dma/sun6i-dma.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/dma/sun6i-dma.c b/drivers/dma/sun6i-dma.c
index 7a79f346250a..12d038ef5f2e 100644
--- a/drivers/dma/sun6i-dma.c
+++ b/drivers/dma/sun6i-dma.c
@@ -946,16 +946,14 @@ static int sun6i_dma_terminate_all(struct dma_chan *chan)
 
 	spin_lock_irqsave(&vchan->vc.lock, flags);
 
-	if (vchan->cyclic) {
-		vchan->cyclic = false;
-		if (pchan && pchan->desc) {
-			struct virt_dma_desc *vd = &pchan->desc->vd;
-			struct virt_dma_chan *vc = &vchan->vc;
+	if (pchan && pchan->desc && pchan->desc != pchan->done) {
+		struct virt_dma_desc *vd = &pchan->desc->vd;
+		struct virt_dma_chan *vc = &vchan->vc;
 
-			list_add_tail(&vd->node, &vc->desc_completed);
-		}
+		list_add_tail(&vd->node, &vc->desc_completed);
 	}
 
+	vchan->cyclic = false;
 	vchan_get_all_descriptors(&vchan->vc, &head);
 
 	if (pchan) {
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate_all
  2026-06-16  6:04 [PATCH v2] dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate_all Hongling Zeng
@ 2026-06-16  6:16 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-06-16  6:16 UTC (permalink / raw)
  To: Hongling Zeng; +Cc: Frank.Li, dmaengine, vkoul, linux-sunxi

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:

Pre-existing issues:
- [Critical] Lockless read of `vchan->phy` in `sun6i_dma_terminate_all` leads to a TOCTOU race condition that can hijack and corrupt another channel's physical state.
- [High] Concurrent execution of `sun6i_dma_terminate_all` and `sun6i_dma_interrupt` can lead to a fatal NULL pointer dereference.
- [High] Terminating an active cyclic transfer frees the descriptor without clearing the virt-dma cyclic pointer, leading to a Use-After-Free.
- [High] Plain `spin_lock` on `sdev->lock` in process context deadlocks with softirq tasklet.
--

commit f08a1b576e146ed2d00cd844a90cf04a64b43397
Author: Hongling Zeng <zenghongling@kylinos.cn>

dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate_all

This commit addresses a memory leak for non-cyclic DMA transfers. It ensures
both cyclic and non-cyclic active descriptors are added to the desc_completed
list before cleanup to prevent them from being permanently leaked.

> diff --git a/drivers/dma/sun6i-dma.c b/drivers/dma/sun6i-dma.c
> index a9a254dbf8cb9..46c837e87e6e4 100644
> --- a/drivers/dma/sun6i-dma.c
> +++ b/drivers/dma/sun6i-dma.c
> @@ -945,16 +945,14 @@ static int sun6i_dma_terminate_all(struct dma_chan *chan)
>  
>  	spin_lock_irqsave(&vchan->vc.lock, flags);

[Severity: High]
This is a pre-existing issue, but does acquiring sdev->lock earlier in this
function create a deadlock risk?

sun6i_dma_terminate_all() calls spin_lock(&sdev->lock) without disabling
softirqs. If a hardware interrupt fires on the same CPU while the lock is
held, the kernel processes pending softirqs upon returning from the interrupt.

This runs sun6i_dma_tasklet(), which attempts to acquire the lock using
spin_lock_irq(&sdev->lock). Will this cause a self-deadlock since the
interrupted process context already holds the lock?

>  
> -	if (vchan->cyclic) {
> -		vchan->cyclic = false;
> -		if (pchan && pchan->desc) {
> -			struct virt_dma_desc *vd = &pchan->desc->vd;
> -			struct virt_dma_chan *vc = &vchan->vc;
> +	if (pchan && pchan->desc && pchan->desc != pchan->done) {

[Severity: Critical]
This isn't a bug introduced by this patch, but does this code have a race
condition that can corrupt another channel?

At the top of sun6i_dma_terminate_all(), the pchan pointer is cached
locklessly from vchan->phy before taking any locks.

Concurrently, sun6i_dma_tasklet() can complete a transfer, set
vchan->phy = NULL, and reassign this exact pchan to a different virtual
channel.

When this code subsequently acquires vchan->vc.lock, wouldn't it use the
stale pchan pointer to inappropriately access descriptors and halt hardware
belonging to the newly assigned channel?

> +		struct virt_dma_desc *vd = &pchan->desc->vd;
> +		struct virt_dma_chan *vc = &vchan->vc;
>  
> -			list_add_tail(&vd->node, &vc->desc_completed);
> -		}
> +		list_add_tail(&vd->node, &vc->desc_completed);

[Severity: High]
This is a pre-existing issue, but does terminating an active cyclic transfer
leave a dangling pointer here?

The active descriptor is added to desc_completed so it can be freed by
vchan_dma_desc_free_list(), but the virt-dma pointer vc->cyclic is never
cleared.

If vchan_complete() runs asynchronously from the tasklet, couldn't it see a
non-NULL vc->cyclic and dereference the freed descriptor? Standard virt-dma
drivers typically use vchan_terminate_vdesc() to clear this.

>  	}
>  
> +	vchan->cyclic = false;
>  	vchan_get_all_descriptors(&vchan->vc, &head);
>  
>  	if (pchan) {

[ ... ]

>  		vchan->phy = NULL;
>  		pchan->vchan = NULL;
>  		pchan->desc = NULL;

[Severity: High]
This isn't a bug introduced by this patch, but can clearing pchan->desc here
race with the interrupt handler and cause a NULL pointer dereference?

In sun6i_dma_interrupt(), vchan->cyclic is read locklessly. If it evaluates
to false, the handler blocks on spin_lock(&vchan->vc.lock):

sun6i_dma_interrupt() {
    ...
    if (!vchan->cyclic) {
        spin_lock(&vchan->vc.lock);
        vchan_cookie_complete(&pchan->desc->vd);
        ...
}

If sun6i_dma_terminate_all() concurrently acquires the lock and sets
pchan->desc = NULL, when the interrupt handler unblocks, wouldn't
evaluating &pchan->desc->vd crash the kernel?

>  		pchan->done = NULL;
>  	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260616060449.42225-1-zenghongling@kylinos.cn?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-16  6:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-16  6:04 [PATCH v2] dmaengine: sun6i-dma: Fix memory leak in sun6i_dma_terminate_all Hongling Zeng
2026-06-16  6:16 ` sashiko-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox