1. Patchew
  2. linux
  3. View series

[PATCH] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

Tuo Li posted 1 patch 1 month ago 
drivers/dma/idxd/submit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
Posted by Tuo Li 1 month ago 
At the end of this function, d is the traversal cursor of flist, but the
code completes found instead. This can lead to issues such as NULL pointer
dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final
list_for_each_entry_safe() loop.

Fixes: aa8d18becc0c ("dmaengine: idxd: add callback support for iaa crypto")
Signed-off-by: Tuo Li <islituo@gmail.com>
---
 drivers/dma/idxd/submit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index 6db1c5fcedc5..03217041b8b3 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -138,7 +138,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
 	 */
 	list_for_each_entry_safe(d, t, &flist, list) {
 		list_del_init(&d->list);
-		idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
+		idxd_dma_complete_txd(d, IDXD_COMPLETE_ABORT, true,
 				      NULL, NULL);
 	}
 }
-- 
2.43.0
Re: [PATCH] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
Posted by Dave Jiang 1 month ago 

On 1/5/26 8:24 PM, Tuo Li wrote:
> At the end of this function, d is the traversal cursor of flist, but the
> code completes found instead. This can lead to issues such as NULL pointer
> dereferences, double completion, or descriptor leaks.
> 
> Fix this by completing d instead of found in the final
> list_for_each_entry_safe() loop.
> 
> Fixes: aa8d18becc0c ("dmaengine: idxd: add callback support for iaa crypto")
> Signed-off-by: Tuo Li <islituo@gmail.com>

Good catch! Thanks. 

Reviewed-by: Dave Jiang <dave.jiang@intel.com>

> ---
>  drivers/dma/idxd/submit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
> index 6db1c5fcedc5..03217041b8b3 100644
> --- a/drivers/dma/idxd/submit.c
> +++ b/drivers/dma/idxd/submit.c
> @@ -138,7 +138,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
>  	 */
>  	list_for_each_entry_safe(d, t, &flist, list) {
>  		list_del_init(&d->list);
> -		idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
> +		idxd_dma_complete_txd(d, IDXD_COMPLETE_ABORT, true,
>  				      NULL, NULL);
>  	}
>  }

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.