From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 407B42DECBF for ; Thu, 7 May 2026 18:51:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778179893; cv=none; b=dQyRmi3ZOlctykEkGoQXdo/ftlqt7iuiMnsnLYfuraPHGWKV5IH9nCT6AzqzWksurblmV8+mqM4sRv8QoeS+JB/Ixc/87OkMVungP25Xix4Yic8BE1kMDKu0itfE2fHyx61vHTrGR6fgWs8I/9BD3hUsgNiAJAJkc1BP5Pwv7mQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778179893; c=relaxed/simple; bh=SPljrVad3SfHOMV6CoDc+b6SoToalM1kLwKQ3HCcS5Y=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=A1SlBxK5ZiVAfVOgfhIQN2IUV5oEfKzK7SxPBUwhslfYqijY++jRTJXS8zc0uLsdZwgYGNi+6NIT+fqkqh0Qo51HPd3c4pe4xjGeSMtStUm/3+D+ANAqNBu3/vF2B6ypHuYdMEjciXD401k3wGwmdB6ria42HFGLGgt0pBxZLqo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZoXyJNNS; arc=none smtp.client-ip=209.85.221.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZoXyJNNS" Received: by mail-wr1-f42.google.com with SMTP id ffacd0b85a97d-43d7dab87e1so136430f8f.3 for ; Thu, 07 May 2026 11:51:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778179889; x=1778784689; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lsCgDB2SeUmpLesfortnurxRDaLmMTCCnWudo37xq5s=; b=ZoXyJNNSk49/PnDLRtdSvV8MXSRPxNryIqnL5tJ7kFxBTReJehwvpnse8UHiQ3vWjG KuyH7A3VN6RBDp0qxJsgZcaIGr2v1Au81mMCDKQB2AVLdG2sWb+/oFlP6zgkRY7XJubS k47zIvN3w8ZH2eZuLYkyj40eWE3mQsY3Arw8JQO9kxo9fJ6M/rFMb8R03MvtPr9nndEl 9o6zsBkjPt4W6suNI+b2YDtj4h3Ec4ZXJyhgVr49pi/gUlcixHJrTFAaJ7JQguONZWlb TCce4vubEXd2TfbSe6eUOVBhaycW//zxiwPvirK3IoBcm0kHWEXgVT7JYLsz/vB55SrR FKNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778179889; x=1778784689; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=lsCgDB2SeUmpLesfortnurxRDaLmMTCCnWudo37xq5s=; b=Bca4stn4rhx481T/JMK10mwUFw60PRmxeEJZt+Cy1kwF0/FpEFqJIu20lxUOOA3KQD wXBuc0bTjY9H+l41FvJD1a1/snB9Jxwk/0KMMm//02GZZxD4iHTnEzgVzeLuqiXQKRYa jQxfZOu9kO5OL6G1/JH7gu6dAvGd/VXFGEgPCyea++LN9xVtMCu1Yb8W0YVFosHG/e4n VYqIpVTR14rdwEF2VgO2j/ekCF18vV892D0WuP2tsaK6yHCJewMN+KW1iIOkz/Odj3IN 5BvW4sRlmD5/EzW2bwhhaVUx08im03LcGStsjjjybTlVCo+ps6pxMr1M9HMN8vVcbjyi HhdA== X-Forwarded-Encrypted: i=1; AFNElJ8K7TxAhgAg5x+SRkEzz4U9GdXq41O5klE0TYRiFgIl1F+707TzQFBix0K6Y6FIBiIPI9mdFYWLw6CH6fw=@vger.kernel.org X-Gm-Message-State: AOJu0YwRCxDdvDaRt4pejKhr5s4+F6dPqTFo71QRsmuTTMLXh3FLrTRu SBXNxFDhOVVEZ8wQvjnSGkdVS1krPBhHILhV+ukdh8i55Fpk5ZtEWzGQ X-Gm-Gg: AeBDietV5GpYIEE6hn1vYWskVPaZgZB24ZtQwaY3hSE0QTvAZAK/MCt7Ze0Gyn10Uwy 6f/RvUaUgMZ/xiPDQlHyt5eXnS6uqR9KSMV17dloDynAve/2o1ZZLPonXXrs9SyMg0LhGrAzWbp +D4y848+sCeT0+92KkdWE++he4Ep9hsuxg0RIwuqSvuXg3wm3YGE9utf35ClTX/nSSo6jvAnUpO x6zoykDzu5Awfe6Q+assW/PjSj1BxJbmJBEhhtwBwE2ZZNE/212e63//GIgzG8vEWXOszpnKCvK rEmJxzE0NILPOlmV2/i8WPwQHHsAwEfUPudQFhk2oieiR6AIM6WGE5rNd9cjY/5NIFHDQwWra6R PLWsnu1AWhjAF0vPPJXuINlIlVRxUfHk/1ZQXM2GPl1B/e1aDi32Mo+Zo/+pcKjjJr20PkyjPIv Nsq+o/tLyMsaigL1xJZW54NrkiRG1W0iElA096+I2xM8AU X-Received: by 2002:a05:600c:a0b:b0:48a:5391:8424 with SMTP id 5b1f17b1804b1-48e532a4dfamr68507655e9.6.1778179888852; Thu, 07 May 2026 11:51:28 -0700 (PDT) Received: from localhost.localdomain ([94.158.58.131]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45416a67bdfsm910506f8f.23.2026.05.07.11.51.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 May 2026 11:51:28 -0700 (PDT) From: Stepan Ionichev To: zhoubinbin@loongson.cn Cc: vkoul@kernel.org, Frank.Li@nxp.com, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, Stepan Ionichev Subject: [PATCH v2] dma: loongson2-apb-cmc: fix NULL deref in residue computation Date: Thu, 7 May 2026 22:50:52 +0500 Message-Id: <20260507175052.9711-1-sozdayvek@gmail.com> X-Mailer: git-send-email 2.33.0.windows.2 In-Reply-To: <20260507023153.400-1-sozdayvek@gmail.com> References: <20260507023153.400-1-sozdayvek@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit loongson2_cmc_dma_desc_residue() takes a "desc" parameter that is the descriptor whose residue should be computed. The body uses it correctly via "desc->num_sgs" and "desc->sg_req[i].len", but the cyclic check incorrectly looks at the channel's stale current descriptor instead: if (lchan->desc->cyclic && next_sg == 0) return residue; This breaks when the function is called from the vdesc fallback path of loongson2_cmc_dma_tx_status(): if (lchan->desc && cookie == lchan->desc->vdesc.tx.cookie) state->residue = ...desc_residue(lchan, lchan->desc, ...); else if (vdesc) state->residue = ...desc_residue(lchan, to_lmdma_desc(vdesc), 0); The else-if branch is taken precisely when "lchan->desc" is NULL or points to a different descriptor than the one being queried, so dereferencing "lchan->desc->cyclic" inside the helper either NULL- derefs or reads the wrong descriptor's flag. smatch flags the inconsistency: drivers/dma/loongson/loongson2-apb-cmc-dma.c:516 loongson2_cmc_dma_tx_status() error: 'lchan->desc' could be null (see line 512) Use the "desc" parameter, matching how the rest of the function already accesses fields of the descriptor under inspection. Fixes: 1c0028e725f1 ("dmaengine: loongson: New driver for the Loongson Multi-Channel DMA controller") Signed-off-by: Stepan Ionichev --- v2: - Drop "we previously assumed" from the smatch quote (Frank Li). - Add Fixes: tag. drivers/dma/loongson/loongson2-apb-cmc-dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/loongson/loongson2-apb-cmc-dma.c b/drivers/dma/loongson/loongson2-apb-cmc-dma.c index 1c9a542ed..3b02bcd75 100644 --- a/drivers/dma/loongson/loongson2-apb-cmc-dma.c +++ b/drivers/dma/loongson/loongson2-apb-cmc-dma.c @@ -487,7 +487,7 @@ static size_t loongson2_cmc_dma_desc_residue(struct loongson2_cmc_dma_chan *lcha ndtr = loongson2_cmc_dma_read(lddev, LOONGSON2_CMCDMA_CNDTR, lchan->id); residue = ndtr << width; - if (lchan->desc->cyclic && next_sg == 0) + if (desc->cyclic && next_sg == 0) return residue; for (i = next_sg; i < desc->num_sgs; i++) -- 2.43.0