Patch "dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 5 Jun 2023 07:44:46 -0400

This is a note to let you know that I've just added the patch titled

    dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     dmaengine-at_xdmac-fix-potential-oops-in-at_xdmac_pr.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 17a4d8f9948f2bcfa08f0c9b60e0c6ddff5a291f
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Mon May 15 13:32:10 2023 +0300

    dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()
    
    [ Upstream commit 4d43acb145c363626d76f49febb4240c488cd1cf ]
    
    There are two place if the at_xdmac_interleaved_queue_desc() fails which
    could lead to a NULL dereference where "first" is NULL and we call
    list_add_tail(&first->desc_node, ...).  In the first caller, the return
    is not checked so add a check for that.  In the next caller, the return
    is checked but if it fails on the first iteration through the loop then
    it will lead to a NULL pointer dereference.
    
    Fixes: 4e5385784e69 ("dmaengine: at_xdmac: handle numf > 1")
    Fixes: 62b5cb757f1d ("dmaengine: at_xdmac: fix memory leak in interleaved mode")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Tudor Ambarus <tudor.ambarus@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/21282b66-9860-410a-83df-39c17fcf2f1b@kili.mountain
    Signed-off-by: Vinod Koul <vkoul@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
index b45437aab1434..dd34626df1abc 100644
--- a/drivers/dma/at_xdmac.c
+++ b/drivers/dma/at_xdmac.c
@@ -1026,6 +1026,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
 							NULL,
 							src_addr, dst_addr,
 							xt, xt->sgl);
+		if (!first)
+			return NULL;
 
 		/* Length of the block is (BLEN+1) microblocks. */
 		for (i = 0; i < xt->numf - 1; i++)
@@ -1056,8 +1058,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
 							       src_addr, dst_addr,
 							       xt, chunk);
 			if (!desc) {
-				list_splice_tail_init(&first->descs_list,
-						      &atchan->free_descs_list);
+				if (first)
+					list_splice_tail_init(&first->descs_list,
+							      &atchan->free_descs_list);
 				return NULL;
 			}
 






