From nobody Sun Apr 5 16:29:49 2026 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 76E8C366DCD for ; Fri, 20 Feb 2026 19:44:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771616663; cv=none; b=FjfMZ/9PXbgPrSioyKBUMB/VAaWdK+dgVQ+KRXKULwg95RQUeMVh4457ZdJ9M+9QcfzKntR19ZFYS5hMNUYaxO9DlqqKZHRfDj5iubyzQnmrZkxu+BJyj9inmXevE11fOHYbg4J/2rmTIFzk1Rhn5h1tOFaodlTXJE9cJhvsIxI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771616663; c=relaxed/simple; bh=b/XfJRil1bwdPvFvx3l1pKzJDaN4pUj1HhV7xdp0NrE=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=AYrOlj3vNzCGI623F607YJ9EWqGagiNpihPK2OtWdQHop+fSUznCeq/0HeiV78IOQXgUpA0YhcXWmPbUtuAzKWpfAb42U3zOSXDZG7vfbnE3gcVakAaCdCwi5DtdSH7QH3LMT+Tx6hg06zRkGOrhIvd1YE75cXSKCBN7LmaVaSA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=sifive.com; spf=pass smtp.mailfrom=sifive.com; dkim=pass (2048-bit key) header.d=sifive.com header.i=@sifive.com header.b=BLLu/lq1; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=sifive.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=sifive.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=sifive.com header.i=@sifive.com header.b="BLLu/lq1" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-48371bb515eso31646975e9.1 for ; Fri, 20 Feb 2026 11:44:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sifive.com; s=google; t=1771616660; x=1772221460; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=05/VV/lDFeba9RsGotT90a0/zpwPMFfBoAx0Ofiw31M=; b=BLLu/lq11cOIO1/CWJW0dBnro+bZ1hEk0GKN07S7guoC6LqDI0H8g2lW7nPhwD+hJu wIS8Nhb+b0/jI/R1v1WQjCJTi8fDoEpj7gm3cy3cyA1npRFnrHg73vG2G4N85B7rBm0W khMBCgub9NkJWjK9y3zGOGEm1FaCZMf5fR1+FeLPQtmYfuMENp12Hmkka70pq4U5wLpE 75BWRmE3oM+4IaF7HTATRo5PnwhsqfZXHBHtS88pG+36Ni1RI64H5s7ar4HAn9uQ6vRi wqHLHg1j0x+8I8iMIfXdKEKi6izfsxnHrOzc7w+lYr9yr1lPtqlWirSavETSZ2yQsIvQ 3b8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771616660; x=1772221460; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=05/VV/lDFeba9RsGotT90a0/zpwPMFfBoAx0Ofiw31M=; b=wTYrlepAjD1Nwf57ytwr43ueDLaAmbWDG3ySNZmvjvZzaYvIf04ooH/gn2Fl1ZwN2f cq9oq+1GcJjvtr2ya9Uqjkq0TwTB6x1L+uBRdL4vcxXlgL/J67mgaFgTnlo48gemQLOv 24ns0CPManaeKEgyOlMbmSXSb9+Mjc7NUTr8DIj3iXMahFRJRb5253jgbowWn2SH/7wj ISknSoOlUhysucUrv8imkegAckAWln0YHmRY7snXYStkJfTsmvcHxKif2+R+voSK1LTl wxikbKBnr9BB8en/RMZTXwfkAryaq5NlLuuPr3EeFiFWKXY1U/ufCWf/N6mQfgjPybg5 N8jA== X-Forwarded-Encrypted: i=1; AJvYcCWX8Y2SbLERQd7aqmqa2PeKGJUfWorGJ5DQsWvMkg/1z6adB2utTs9UTPKfzW0cED9KAF3XTGl0qC3Y9Fo=@vger.kernel.org X-Gm-Message-State: AOJu0YxeP06ZO8S7rDaDFbUHeHzDGiQBTnIRw07d+sbY3MB7XfhUSmMe ewKOcaiSZowC32liGTaHuLhMS+Pqpq7FGXyJhZllEvrYBlUNSk+O2RZXQlkYBCrxmsU= X-Gm-Gg: AZuq6aJxK13gdqWqiIe7fDO51I4cxio+22sxodFewRnI/bpDlMMFiJhJmhqvK7FQDqe puC0BDvK9CDodA1JMyB05BEUyGkpTrZ97E+4bHXKdj+fDHvd2LzKXetln6XxnRfJfo9TArvP3WY 6+s0fDrM/gmpprZ79fYaOBzBLH9iwI8eHgPPq0huUMo3hPW9vZ/JHIuqEx3z77xMlIYwMTctR8e ox9hufMe1pr4NbeHbdiuD7h52PskSe1167it2reBx1c+q3OGp+LuTwdgh5VHqBgqOx1Wi2LieE7 lGQaB+rBqt8Y/g1RZHKYtYXtrO/9fvOLO1VLPE21Y3BtYz6r5FkCQGnA1s+13/hJqpp7zFExR1k dkHJeNnf5Yu5wo5mDVC5BCBccDf+My003xT4APpoPQofwFy6nT93Rhn51OT5MzQhRfFGz3zjwBh T8oPwQTnIIyrQ/fsNXJOO6 X-Received: by 2002:a05:600c:c166:b0:483:8e67:e696 with SMTP id 5b1f17b1804b1-483a96088eamr11896155e9.15.1771616659825; Fri, 20 Feb 2026 11:44:19 -0800 (PST) Received: from [127.0.1.1] ([210.176.154.34]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483a3e1b7ccsm24460755e9.11.2026.02.20.11.44.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Feb 2026 11:44:19 -0800 (PST) From: Max Hsu Date: Sat, 21 Feb 2026 03:43:55 +0800 Subject: [PATCH 3/5] dmaengine: sf-pdma: fix NULL pointer dereference in error and done handlers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260221-pdma-v1-3-838d929c2326@sifive.com> References: <20260221-pdma-v1-0-838d929c2326@sifive.com> In-Reply-To: <20260221-pdma-v1-0-838d929c2326@sifive.com> To: Paul Walmsley , Samuel Holland , Vinod Koul , Frank Li , Green Wan , Rob Herring , Krzysztof Kozlowski , Conor Dooley , Palmer Debbelt , Conor Dooley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti Cc: linux-riscv@lists.infradead.org, dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org, Paul Walmsley , devicetree@vger.kernel.org, Max Hsu , stable@vger.kernel.org X-Mailer: b4 0.14.3 X-Developer-Signature: v=1; a=openpgp-sha256; l=3639; i=max.hsu@sifive.com; h=from:subject:message-id; bh=b/XfJRil1bwdPvFvx3l1pKzJDaN4pUj1HhV7xdp0NrE=; b=owEB7QES/pANAwAKAdID/Z0HeUC9AcsmYgBpmLl7qrlEpbzWDbGuky8nT6UzW0f5jVL+Hu/hW iVRTh9Ulb6JAbMEAAEKAB0WIQTqXmcbOhS2KZE9X2jSA/2dB3lAvQUCaZi5ewAKCRDSA/2dB3lA vY8NDACxy2OOvQk82FLF/6ENDUqR0VUXpYS61hwdKKk9L4hmAEMmXjyP5/BovrqX3b+34yGCO05 +Pkx4U3PqbxNcHs+NQHaYGZoZZ8FRdDJ4iS5eKtQiIO/m5VfQAVuI+azxBu5TrFzSePhwpJko0R 7x0JinBtqmGUTEtA8X7egXlkbd0qkMFE36xltmi6n8LmQTuV65oTkl95SArBYzMVLt6tiQzaYws o+0l/9Dk2bKZjyhWc987UGgbyGnKrGm6HzmCJmJrVIRjfFpBhrUOQhhGtDsP3GKSxV2al+7TcuK O+p9CvhQ/XS0lmko1kSN8dbtrl81Q68hyRV2IcsvKE6AVig+7TjNsd1aLkF7HctRS26JTJ49cvk 75uVdQud3BGkNbBqIK5wCcjszzKDqiZAC7Kl7ZINFj0wRrkHwfydyhmeXAy555xdjICf7YBgy91 SWW/1txoOQT/KdooJP8as+lq8Jk5MIgZLfhRZH90rf1jzO3wRNmeNGc27YsfpRJ7l2tjs= X-Developer-Key: i=max.hsu@sifive.com; a=openpgp; fpr=EA5E671B3A14B629913D5F68D203FD9D077940BD Fix NULL pointer dereferences in both the error and done tasklets that can occur due to race conditions during channel termination or completion. Both tasklets (sf_pdma_errbh_tasklet and sf_pdma_donebh_tasklet) dereference chan->desc without checking if it's NULL. However, chan->desc can be NULL in legitimate scenarios: 1. During sf_pdma_terminate_all(): The function sets chan->desc =3D NULL while holding vchan.lock, but interrupts for previously submitted transactions could fire after the lock is released, before the hardware is fully quiesced. These interrupts can schedule tasklets that will run with chan->desc =3D NULL. 2. During channel cleanup: Similar race condition during sf_pdma_free_chan_resources(). The fix adds NULL checks at the beginning of both tasklets, protected by vchan.lock, using the same lock that terminate_all and free_chan_resources use when setting chan->desc =3D NULL. This ensures that either: - The descriptor is valid and we can safely process it, or - The descriptor was already freed and we safely skip processing Fixes: 6973886ad58e ("dmaengine: sf-pdma: add platform DMA support for HiFi= ve Unleashed A00") Cc: stable@vger.kernel.org Signed-off-by: Max Hsu --- drivers/dma/sf-pdma/sf-pdma.c | 43 +++++++++++++++++++++++++++++++++------= ---- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/drivers/dma/sf-pdma/sf-pdma.c b/drivers/dma/sf-pdma/sf-pdma.c index ac7d3b127a24..70e4afcda52a 100644 --- a/drivers/dma/sf-pdma/sf-pdma.c +++ b/drivers/dma/sf-pdma/sf-pdma.c @@ -298,33 +298,56 @@ static void sf_pdma_free_desc(struct virt_dma_desc *v= desc) static void sf_pdma_donebh_tasklet(struct tasklet_struct *t) { struct sf_pdma_chan *chan =3D from_tasklet(chan, t, done_tasklet); + struct sf_pdma_desc *desc; unsigned long flags; =20 - spin_lock_irqsave(&chan->lock, flags); - if (chan->xfer_err) { - chan->retries =3D MAX_RETRY; - chan->status =3D DMA_COMPLETE; - chan->xfer_err =3D false; + spin_lock_irqsave(&chan->vchan.lock, flags); + desc =3D chan->desc; + if (!desc) { + /* + * The descriptor was already freed (e.g., by terminate_all + * or completion on another CPU). Nothing to do. + */ + spin_unlock_irqrestore(&chan->vchan.lock, flags); + return; } - spin_unlock_irqrestore(&chan->lock, flags); =20 - spin_lock_irqsave(&chan->vchan.lock, flags); - list_del(&chan->desc->vdesc.node); - vchan_cookie_complete(&chan->desc->vdesc); + list_del(&desc->vdesc.node); + vchan_cookie_complete(&desc->vdesc); =20 chan->desc =3D sf_pdma_get_first_pending_desc(chan); if (chan->desc) sf_pdma_xfer_desc(chan); =20 spin_unlock_irqrestore(&chan->vchan.lock, flags); + + spin_lock_irqsave(&chan->lock, flags); + if (chan->xfer_err) { + chan->retries =3D MAX_RETRY; + chan->status =3D DMA_COMPLETE; + chan->xfer_err =3D false; + } + spin_unlock_irqrestore(&chan->lock, flags); } =20 static void sf_pdma_errbh_tasklet(struct tasklet_struct *t) { struct sf_pdma_chan *chan =3D from_tasklet(chan, t, err_tasklet); - struct sf_pdma_desc *desc =3D chan->desc; + struct sf_pdma_desc *desc; unsigned long flags; =20 + spin_lock_irqsave(&chan->vchan.lock, flags); + desc =3D chan->desc; + if (!desc) { + /* + * The descriptor was already freed (e.g., by terminate_all + * or completion on another CPU). Nothing to do. + */ + spin_unlock_irqrestore(&chan->vchan.lock, flags); + return; + } + spin_unlock_irqrestore(&chan->vchan.lock, flags); + spin_lock_irqsave(&chan->lock, flags); if (chan->retries <=3D 0) { /* fail to recover */ --=20 2.43.0