DMA Engine development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Bartosz Golaszewski" <bartosz.golaszewski@oss.qualcomm.com>
Cc: vkoul@kernel.org, dmaengine@vger.kernel.org, Frank.Li@kernel.org
Subject: Re: [PATCH v20 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request()
Date: Mon, 29 Jun 2026 10:17:17 +0000	[thread overview]
Message-ID: <20260629101718.38A721F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629-qcom-qce-cmd-descr-v20-11-56f67da84c05@oss.qualcomm.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Low] Commit message references a non-existent API function.

Pre-existing issues:
- [High] The devres unwinding order frees the DMA channels and result buffer BEFORE the background workqueue is explicitly canceled, creating a Use-After-Free window.
--

commit f6e312d1a680b31426e3cdbbdcdf493a9628353f
Author: Bartosz Golaszewski <brgl@kernel.org>

crypto: qce - Use existing devres APIs in devm_qce_dma_request()

Switch to devm_kmalloc() and devm_dma_alloc_chan() in devm_qce_dma_request()
to simplify the function and drop error labels.

>     Switch to devm_kmalloc() and devm_dma_alloc_chan() in
>     devm_qce_dma_request(). This allows us to drop two labels and shrink the
>     function.

[Severity: Low]
This isn't a bug, but the commit message references devm_dma_alloc_chan()
instead of the actually used devm_dma_request_chan().

> diff --git a/drivers/crypto/qce/dma.c b/drivers/crypto/qce/dma.c
> index d60efb5c26d88..26347e9fc078a 100644
> --- a/drivers/crypto/qce/dma.c
> +++ b/drivers/crypto/qce/dma.c
[ ... ]
> -	dma->rxchan = dma_request_chan(dev, "rx");
> -	if (IS_ERR(dma->rxchan)) {
> -		ret = dev_err_probe(dev, PTR_ERR(dma->rxchan),
> -				    "Failed to get RX DMA channel\n");
> -		goto error_rx;
> -	}
> -
> -	dma->result_buf = kmalloc(QCE_RESULT_BUF_SZ + QCE_IGNORE_BUF_SZ,
> -				  GFP_KERNEL);
> -	if (!dma->result_buf) {
> -		ret = -ENOMEM;
> -		goto error_nomem;
> -	}
> -
> -	return devm_add_action_or_reset(dev, qce_dma_release, dma);
> +	dma->rxchan = devm_dma_request_chan(dev, "rx");
> +	if (IS_ERR(dma->rxchan))
> +		return dev_err_probe(dev, PTR_ERR(dma->rxchan),
> +				     "Failed to get RX DMA channel\n");
>  
> -error_nomem:
> -	dma_release_channel(dma->rxchan);
> -error_rx:
> -	dma_release_channel(dma->txchan);
> -	return ret;
> +	return devm_add_action_or_reset(dev, qce_dma_terminate, dma);
>  }

[Severity: High]
This is a pre-existing issue, but does the devres unwinding order here
create a window for a use-after-free?

In qce_crypto_probe(), qce_cancel_work is registered before the DMA 
resources are requested:

drivers/crypto/qce/core.c:qce_crypto_probe() {
    ...
    INIT_WORK(&qce->done_work, qce_req_done_work);
    ret = devm_add_action_or_reset(dev, qce_cancel_work, &qce->done_work);
    if (ret)
        return ret;

    ret = devm_qce_dma_request(qce);
    ...
}

Since devres actions are unwound in reverse order of registration (LIFO),
during unbind or late probe failure, the DMA termination registered here
will execute first. This frees txchan, rxchan, and result_buf.

Only after the DMA resources are freed does the unwinding sequence call
cancel_work_sync() for the done_work. If the background workqueue
qce_req_done_work() is already running or scheduled, could it process
subsequent crypto requests by calling qce_handle_queue() and accessing the
now-freed DMA channels and buffers?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629-qcom-qce-cmd-descr-v20-0-56f67da84c05@oss.qualcomm.com?part=11

  reply	other threads:[~2026-06-29 10:17 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 10:01 [PATCH v20 00/14] crypto/dmaengine: qce: introduce BAM locking and use DMA for register I/O Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 01/14] dmaengine: constify struct dma_descriptor_metadata_ops Bartosz Golaszewski
2026-06-29 15:04   ` Pandey, Radhey Shyam
2026-06-29 10:01 ` [PATCH v20 02/14] dmaengine: qcom: bam_dma: free interrupt before the clock in error path Bartosz Golaszewski
2026-06-29 10:18   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 03/14] dmaengine: qcom: bam_dma: convert tasklet to a BH workqueue Bartosz Golaszewski
2026-06-29 10:17   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 04/14] dmaengine: qcom: bam_dma: Extend the driver's device match data Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 05/14] dmaengine: qcom: bam_dma: Add pipe_lock_supported flag support Bartosz Golaszewski
2026-06-29 10:18   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 06/14] dmaengine: qcom: bam_dma: add support for BAM locking Bartosz Golaszewski
2026-06-29 10:16   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 07/14] crypto: qce - Cancel work on device detach Bartosz Golaszewski
2026-06-29 10:15   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 08/14] crypto: qce - Include algapi.h in the core.h header Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 09/14] crypto: qce - Remove unused ignore_buf Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 10/14] crypto: qce - Simplify arguments of devm_qce_dma_request() Bartosz Golaszewski
2026-06-29 10:01 ` [PATCH v20 11/14] crypto: qce - Use existing devres APIs in devm_qce_dma_request() Bartosz Golaszewski
2026-06-29 10:17   ` sashiko-bot [this message]
2026-06-29 10:01 ` [PATCH v20 12/14] crypto: qce - Map crypto memory for DMA Bartosz Golaszewski
2026-06-29 10:14   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 13/14] crypto: qce - Add BAM DMA support for crypto register I/O Bartosz Golaszewski
2026-06-29 10:22   ` sashiko-bot
2026-06-29 10:01 ` [PATCH v20 14/14] crypto: qce - Communicate the base physical address to the dmaengine Bartosz Golaszewski
2026-06-29 10:24   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629101718.38A721F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=Frank.Li@kernel.org \
    --cc=bartosz.golaszewski@oss.qualcomm.com \
    --cc=dmaengine@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=vkoul@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox