summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Ujfalusi <peter.ujfalusi@ti.com>2019-12-20 15:11:00 +0200
committerVinod Koul <vkoul@kernel.org>2019-12-23 13:23:24 +0530
commit24461d9792c2c706092805ff1b067628933441bd (patch)
treeefe576215c6ba64ea6239188b14c166dff8682e0
parent2f42e05b942fe2fbfb9bbc6e34e1dd8c3ce4f3a4 (diff)
downloadlinux-stable-24461d9792c2c706092805ff1b067628933441bd.tar.gz
linux-stable-24461d9792c2c706092805ff1b067628933441bd.tar.bz2
linux-stable-24461d9792c2c706092805ff1b067628933441bd.zip
dmaengine: virt-dma: Fix access after free in vchan_complete()
vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is via already freed up memory. Move the vchan_vdesc_fini() after invoking the callback to avoid this. Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor") Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com> Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com> Link: https://lore.kernel.org/r/20191220131100.21804-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul <vkoul@kernel.org>
-rw-r--r--drivers/dma/virt-dma.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
index ec4adf4260a0..256fc662c500 100644
--- a/drivers/dma/virt-dma.c
+++ b/drivers/dma/virt-dma.c
@@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
dmaengine_desc_get_callback(&vd->tx, &cb);
list_del(&vd->node);
- vchan_vdesc_fini(vd);
-
dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
+ vchan_vdesc_fini(vd);
}
}