diff options
author | Peter Ujfalusi <peter.ujfalusi@ti.com> | 2019-12-20 14:11:00 +0100 |
---|---|---|
committer | Vinod Koul <vkoul@kernel.org> | 2019-12-23 08:53:24 +0100 |
commit | 24461d9792c2c706092805ff1b067628933441bd (patch) | |
tree | efe576215c6ba64ea6239188b14c166dff8682e0 | |
parent | dmaengine: k3dma: Avoid null pointer traversal (diff) | |
download | linux-24461d9792c2c706092805ff1b067628933441bd.tar.xz linux-24461d9792c2c706092805ff1b067628933441bd.zip |
dmaengine: virt-dma: Fix access after free in vchan_complete()
vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
via already freed up memory.
Move the vchan_vdesc_fini() after invoking the callback to avoid this.
Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
Link: https://lore.kernel.org/r/20191220131100.21804-1-peter.ujfalusi@ti.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
-rw-r--r-- | drivers/dma/virt-dma.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c index ec4adf4260a0..256fc662c500 100644 --- a/drivers/dma/virt-dma.c +++ b/drivers/dma/virt-dma.c @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg) dmaengine_desc_get_callback(&vd->tx, &cb); list_del(&vd->node); - vchan_vdesc_fini(vd); - dmaengine_desc_callback_invoke(&cb, &vd->tx_result); + vchan_vdesc_fini(vd); } } |