[PATCH v3] crypto: ti-dthev2:Fix potential invalid access when device list is empty
From: Hongling Zeng
Date: Wed Jun 17 2026 - 02:36:52 EST
list_first_entry() never returns NULL - if the list is empty, it still
returns a pointer to an invalid object, leading to potential invalid
memory access when dereferenced.
Fix this by using list_first_entry_or_null instead of list_first_entry.
Fixes: 52f641bc63a4 ("crypto: ti - Add driver for DTHE V2 AES Engine (ECB, CBC)")
Signed-off-by: Hongling Zeng <zenghongling@xxxxxxxxxx>
---
Change in v2
-Reorder dthe_remove(): unregister algorithms before removing from list
This prevents new allocations during removal.
---
Change in v3
-Fix spinlock inconsistency:dthe_get_dev() uses spin_lock_bh() while
dthe_probe() and dthe_remove() use spin_lock(). This can cause deadlock
if softirq interrupts process context holding the lock.
---
drivers/crypto/ti/dthev2-common.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/crypto/ti/dthev2-common.c b/drivers/crypto/ti/dthev2-common.c
index a2ad79bec105..b315c850f05d 100644
--- a/drivers/crypto/ti/dthev2-common.c
+++ b/drivers/crypto/ti/dthev2-common.c
@@ -39,11 +39,11 @@ struct dthe_data *dthe_get_dev(struct dthe_tfm_ctx *ctx)
if (ctx->dev_data)
return ctx->dev_data;
- spin_lock_bh(&dthe_dev_list.lock);
- dev_data = list_first_entry(&dthe_dev_list.dev_list, struct dthe_data, list);
+ spin_lock(&dthe_dev_list.lock);
+ dev_data = list_first_entry_or_null(&dthe_dev_list.dev_list, struct dthe_data, list);
if (dev_data)
list_move_tail(&dev_data->list, &dthe_dev_list.dev_list);
- spin_unlock_bh(&dthe_dev_list.lock);
+ spin_unlock(&dthe_dev_list.lock);
return dev_data;
}
@@ -201,12 +201,12 @@ static void dthe_remove(struct platform_device *pdev)
{
struct dthe_data *dev_data = platform_get_drvdata(pdev);
+ dthe_unregister_algs();
+
spin_lock(&dthe_dev_list.lock);
list_del(&dev_data->list);
spin_unlock(&dthe_dev_list.lock);
- dthe_unregister_algs();
-
crypto_engine_exit(dev_data->engine);
dma_release_channel(dev_data->dma_aes_rx);
--
2.25.1