Re: [PATCH] dmaengine: dw-axi-dmac: fix vchan teardown races and LLI dump bounds
From: Frank Li
Date: Thu May 07 2026 - 14:41:09 EST
On Wed, Apr 29, 2026 at 04:17:15PM +0300, Ilya Polyvyanyy wrote:
> The channel teardown paths free descriptors/pools without synchronizing
> virt-dma callbacks first. If the vchan tasklet is still running, descriptor
> cleanup may race with callback processing and trigger use-after-free.
>
> Call vchan_synchronize() in free_chan_resources() and terminate_all() to
> drain pending tasklet activity before/after descriptor list cleanup.
>
> Also fix axi_chan_list_dump_lli() to iterate over desc_head->nr_hw_descs
> instead of the channel-wide descs_allocated counter. The old bound could
> exceed the current descriptor array and cause out-of-bounds access in the
> error-dump path.
Use sperated patch to fix this problem.
Missed fix tags here
Frank
> Signed-off-by: Ilya Polyvyanyy <il.polyvyanyy@xxxxxxxxx>
> ---
> drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> index 4d53f077e..4c317ee82 100644
> --- a/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> +++ b/drivers/dma/dw-axi-dmac/dw-axi-dmac-platform.c
> @@ -553,6 +553,7 @@ static void dma_chan_free_chan_resources(struct dma_chan *dchan)
>
> axi_chan_disable(chan);
> axi_chan_irq_disable(chan, DWAXIDMAC_IRQ_ALL);
> + vchan_synchronize(&chan->vc);
>
> vchan_free_chan_resources(&chan->vc);
>
> @@ -1049,9 +1050,13 @@ static void axi_chan_dump_lli(struct axi_dma_chan *chan,
> static void axi_chan_list_dump_lli(struct axi_dma_chan *chan,
> struct axi_dma_desc *desc_head)
> {
> - int count = atomic_read(&chan->descs_allocated);
> + int count;
> int i;
>
> + if (!desc_head || !desc_head->hw_desc)
> + return;
> +
> + count = desc_head->nr_hw_descs;
> for (i = 0; i < count; i++)
> axi_chan_dump_lli(chan, &desc_head->hw_desc[i]);
> }
> @@ -1206,6 +1211,7 @@ static int dma_chan_terminate_all(struct dma_chan *dchan)
> spin_unlock_irqrestore(&chan->vc.lock, flags);
>
> vchan_dma_desc_free_list(&chan->vc, &head);
> + vchan_synchronize(&chan->vc);
>
> dev_vdbg(dchan2dev(dchan), "terminated: %s\n", axi_chan_name(chan));
>
> --
> 2.54.0
>