On 3/24/19 11:28 AM, Jens Axboe wrote:
> On 3/4/19 4:08 PM, Aditya Pakki wrote:
>> dma_async_tx_descriptor can contain a NULL variable and using
>> it in dmaengine_submit without checking can crash the process.
>> This patch avoids such a scenario.
>>
>> Signed-off-by: Aditya Pakki <pakki001@xxxxxxx>
>> ---
>> drivers/ata/sata_dwc_460ex.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/drivers/ata/sata_dwc_460ex.c b/drivers/ata/sata_dwc_460ex.c
>> index 6f142aa54f5f..44a0d7a1ef54 100644
>> --- a/drivers/ata/sata_dwc_460ex.c
>> +++ b/drivers/ata/sata_dwc_460ex.c
>> @@ -1052,8 +1052,10 @@ static void sata_dwc_bmdma_start_by_tag(struct ata_queued_cmd *qc, u8 tag)
>> SATA_DWC_DMACR_RXCHEN);
>>
>> /* Enable AHB DMA transfer on the specified channel */
>> - dmaengine_submit(desc);
>> - dma_async_issue_pending(hsdevp->chan);
>> + if (desc) {
>> + dmaengine_submit(desc);
>> + dma_async_issue_pending(hsdevp->chan);
>> + }
>> }
>> }
>
> Hmm, if desc == NULL, is that an error condition?
>
Jens,
In dmaengine_submit, the desc variable is dereferenced without a check for NULL.
