Commit 4d43acb1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Vinod Koul

dmaengine: at_xdmac: fix potential Oops in at_xdmac_prep_interleaved()

There are two place if the at_xdmac_interleaved_queue_desc() fails which
could lead to a NULL dereference where "first" is NULL and we call
list_add_tail(&first->desc_node, ...).  In the first caller, the return
is not checked so add a check for that.  In the next caller, the return
is checked but if it fails on the first iteration through the loop then
it will lead to a NULL pointer dereference.

Fixes: 4e538578 ("dmaengine: at_xdmac: handle numf > 1")
Fixes: 62b5cb75 ("dmaengine: at_xdmac: fix memory leak in interleaved mode")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@linaro.org>
Link: https://lore.kernel.org/r/21282b66-9860-410a-83df-39c17fcf2f1b@kili.mountainSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
parent 38de368a
...@@ -1102,6 +1102,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, ...@@ -1102,6 +1102,8 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
NULL, NULL,
src_addr, dst_addr, src_addr, dst_addr,
xt, xt->sgl); xt, xt->sgl);
if (!first)
return NULL;
/* Length of the block is (BLEN+1) microblocks. */ /* Length of the block is (BLEN+1) microblocks. */
for (i = 0; i < xt->numf - 1; i++) for (i = 0; i < xt->numf - 1; i++)
...@@ -1132,8 +1134,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan, ...@@ -1132,8 +1134,9 @@ at_xdmac_prep_interleaved(struct dma_chan *chan,
src_addr, dst_addr, src_addr, dst_addr,
xt, chunk); xt, chunk);
if (!desc) { if (!desc) {
list_splice_tail_init(&first->descs_list, if (first)
&atchan->free_descs_list); list_splice_tail_init(&first->descs_list,
&atchan->free_descs_list);
return NULL; return NULL;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment