vchan_complete() contains a potential NULL-pointer dereference:
the vd variable is checked for being non-NULL under a spinlock,
but few lines below &vd->tx_result is passed as a second arg to
dmaengine_desc_callback_invoke() unconditionally.
This issue was spotted by looking into the code, I'm not aware of
any real world consequences. It seems like dmaengine_desc_callback_invoke()
is never using the second argument in cases when vd is NULL, this is
why we haven't seen any crashes.
To make it safer, let's pass NULL to dmaengine_desc_callback_invoke()
if vd is NULL.
Signed-off-by: Roman Gushchin <roman.gushchin@xxxxxxxxx>
---
drivers/dma/virt-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
index a6f4265be0c9..0c46ad18dae1 100644
--- a/drivers/dma/virt-dma.c
+++ b/drivers/dma/virt-dma.c
@@ -98,7 +98,7 @@ static void vchan_complete(struct tasklet_struct *t)
}
spin_unlock_irq(&vc->lock);
- dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
+ dmaengine_desc_callback_invoke(&cb, vd ? &vd->tx_result : NULL);
list_for_each_entry_safe(vd, _vd, &head, node) {
dmaengine_desc_get_callback(&vd->tx, &cb);
--
2.40.0
