[PATCH 2/2] xilinx_dma: Fix read-after-free bug when terminating transfers
Vinod Koul
vkoul at kernel.org
Tue Jul 13 22:10:02 PDT 2021
On 07-07-21, 00:43, Adrian Larumbe wrote:
> When user calls dmaengine_terminate_sync, the driver will clean up any
> remaining descriptors for all the pending or active transfers that had
> previously been submitted. However, this might happen whilst the tasklet is
> invoking the DMA callback for the last finished transfer, so by the time it
> returns and takes over the channel's spinlock, the list of completed
> descriptors it was traversing is no longer valid. This leads to a
> read-after-free situation.
>
> Fix it by signalling whether a user-triggered termination has happened by
> means of a boolean variable.
Applied after adding subsystem name, thanks
--
~Vinod
More information about the linux-arm-kernel
mailing list