Re: [PATCH] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()

Next message: Ionut Nechita (Sunlight Linux): "[PATCH 1/1] tick/nohz: Add fast-path tick stopping for idle isolated cores"
Previous message: Ionut Nechita (Sunlight Linux): "[PATCH 0/1] tick/nohz: Optimize tick stopping for isolated cores"
In reply to: Tuo Li: "[PATCH] dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Jiang

Date: Tue Jan 06 2026 - 10:37:37 EST

On 1/5/26 8:24 PM, Tuo Li wrote:
> At the end of this function, d is the traversal cursor of flist, but the
> code completes found instead. This can lead to issues such as NULL pointer
> dereferences, double completion, or descriptor leaks.
>
> Fix this by completing d instead of found in the final
> list_for_each_entry_safe() loop.
>
> Fixes: aa8d18becc0c ("dmaengine: idxd: add callback support for iaa crypto")
> Signed-off-by: Tuo Li <islituo@xxxxxxxxx>

Good catch! Thanks.

Reviewed-by: Dave Jiang <dave.jiang@xxxxxxxxx>

> ---
> drivers/dma/idxd/submit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
> index 6db1c5fcedc5..03217041b8b3 100644
> --- a/drivers/dma/idxd/submit.c
> +++ b/drivers/dma/idxd/submit.c
> @@ -138,7 +138,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
> */
> list_for_each_entry_safe(d, t, &flist, list) {
> list_del_init(&d->list);
> - idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
> + idxd_dma_complete_txd(d, IDXD_COMPLETE_ABORT, true,
> NULL, NULL);
> }
> }