1. Patchew
  2. linux
  3. View series

[PATCH] dmaengine: dw-axi-dmac: fix vchan teardown races and LLI dump bounds

Ilya Polyvyanyy posted 1 patch 1 month, 2 weeks ago 
drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
[PATCH] dmaengine: dw-axi-dmac: fix vchan teardown races and LLI dump bounds
Posted by Ilya Polyvyanyy 1 month, 2 weeks ago 
The channel teardown paths free descriptors/pools without synchronizing
virt-dma callbacks first. If the vchan tasklet is still running, descriptor
cleanup may race with callback processing and trigger use-after-free.

Call vchan_synchronize() in free_chan_resources() and terminate_all() to
drain pending tasklet activity before/after descriptor list cleanup.

Also fix axi_chan_list_dump_lli() to iterate over desc_head->nr_hw_descs
instead of the channel-wide descs_allocated counter. The old bound could
exceed the current descriptor array and cause out-of-bounds access in the
error-dump path.

Signed-off-by: Ilya Polyvyanyy <il.polyvyanyy@gmail.com>
---
 drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
index 4d53f077e..4c317ee82 100644
--- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
+++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
@@ -553,6 +553,7 @@ static void dma_chan_free_chan_resources(struct dma_chan *dchan)
 
 	axi_chan_disable(chan);
 	axi_chan_irq_disable(chan, DWAXIDMAC_IRQ_ALL);
+	vchan_synchronize(&chan->vc);
 
 	vchan_free_chan_resources(&chan->vc);
 
@@ -1049,9 +1050,13 @@ static void axi_chan_dump_lli(struct axi_dma_chan *chan,
 static void axi_chan_list_dump_lli(struct axi_dma_chan *chan,
 				   struct axi_dma_desc *desc_head)
 {
-	int count = atomic_read(&chan->descs_allocated);
+	int count;
 	int i;
 
+	if (!desc_head || !desc_head->hw_desc)
+		return;
+
+	count = desc_head->nr_hw_descs;
 	for (i = 0; i < count; i++)
 		axi_chan_dump_lli(chan, &desc_head->hw_desc[i]);
 }
@@ -1206,6 +1211,7 @@ static int dma_chan_terminate_all(struct dma_chan *dchan)
 	spin_unlock_irqrestore(&chan->vc.lock, flags);
 
 	vchan_dma_desc_free_list(&chan->vc, &head);
+	vchan_synchronize(&chan->vc);
 
 	dev_vdbg(dchan2dev(dchan), "terminated: %s\n", axi_chan_name(chan));
 
-- 
2.54.0
Re: [PATCH] dmaengine: dw-axi-dmac: fix vchan teardown races and LLI dump bounds
Posted by Frank Li 1 month, 1 week ago 
On Wed, Apr 29, 2026 at 04:17:15PM +0300, Ilya Polyvyanyy wrote:
> The channel teardown paths free descriptors/pools without synchronizing
> virt-dma callbacks first. If the vchan tasklet is still running, descriptor
> cleanup may race with callback processing and trigger use-after-free.
>
> Call vchan_synchronize() in free_chan_resources() and terminate_all() to
> drain pending tasklet activity before/after descriptor list cleanup.
>
> Also fix axi_chan_list_dump_lli() to iterate over desc_head->nr_hw_descs
> instead of the channel-wide descs_allocated counter. The old bound could
> exceed the current descriptor array and cause out-of-bounds access in the
> error-dump path.

Use sperated patch to fix this problem.

Missed fix tags here

Frank
> Signed-off-by: Ilya Polyvyanyy <il.polyvyanyy@gmail.com>
> ---
>  drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> index 4d53f077e..4c317ee82 100644
> --- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> +++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> @@ -553,6 +553,7 @@ static void dma_chan_free_chan_resources(struct dma_chan *dchan)
>
>  	axi_chan_disable(chan);
>  	axi_chan_irq_disable(chan, DWAXIDMAC_IRQ_ALL);
> +	vchan_synchronize(&chan->vc);
>
>  	vchan_free_chan_resources(&chan->vc);
>
> @@ -1049,9 +1050,13 @@ static void axi_chan_dump_lli(struct axi_dma_chan *chan,
>  static void axi_chan_list_dump_lli(struct axi_dma_chan *chan,
>  				   struct axi_dma_desc *desc_head)
>  {
> -	int count = atomic_read(&chan->descs_allocated);
> +	int count;
>  	int i;
>
> +	if (!desc_head || !desc_head->hw_desc)
> +		return;
> +
> +	count = desc_head->nr_hw_descs;
>  	for (i = 0; i < count; i++)
>  		axi_chan_dump_lli(chan, &desc_head->hw_desc[i]);
>  }
> @@ -1206,6 +1211,7 @@ static int dma_chan_terminate_all(struct dma_chan *dchan)
>  	spin_unlock_irqrestore(&chan->vc.lock, flags);
>
>  	vchan_dma_desc_free_list(&chan->vc, &head);
> +	vchan_synchronize(&chan->vc);
>
>  	dev_vdbg(dchan2dev(dchan), "terminated: %s\n", axi_chan_name(chan));
>
> --
> 2.54.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.