[PATCH v2] crypto: ixp4xx - fix buffer chain unwind on allocation failure
Linus Walleij
linusw at kernel.org
Fri Apr 24 00:50:21 PDT 2026
On Thu, Apr 23, 2026 at 1:20 PM Ruoyu Wang <ruoyuw560 at gmail.com> wrote:
> chainup_buffers() builds a linked list of buffer descriptors for a
> scatterlist. If dma_pool_alloc() fails while constructing the list, the
> current code sets buf to NULL and later dereferences it unconditionally
> at the end of the function:
>
> buf->next = NULL;
> buf->phys_next = 0;
>
> This can lead to a null-pointer dereference on allocation failure.
>
> If the failure happens after part of the descriptor chain has already
> been allocated and DMA-mapped, the partially constructed chain also
> needs to be released.
>
> Fix this by terminating the partially constructed chain on allocation
> failure and letting the callers unwind it via their existing cleanup
> paths. Also fix ablk_perform() to preserve the hook pointers before
> checking for failure, so partially built chains can be freed correctly.
>
> Signed-off-by: Ruoyu Wang <ruoyuw560 at gmail.com>
Essentially I think Corentin & Herbert are better at reviewing this code
but it sure looks good to me!
Acked-by: Linus Walleij <linusw at kernel.org>
Yours,
Linus Walleij
More information about the linux-arm-kernel
mailing list