[PATCH OLK-5.10] dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor

From: Olivier Dautricourt olivierdautricourt@gmail.com

mainline inclusion from mainline-v6.11-rc1 commit 54e4ada1a4206f878e345ae01cf37347d803d1b1 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IARVBS CVE: CVE-2024-46716

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor.

This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor

which does not correctly free the descriptors as first nodes were not removed from the list.

Signed-off-by: Olivier Dautricourt olivierdautricourt@gmail.com Tested-by: Olivier Dautricourt olivierdautricourt@gmail.com Link: https://lore.kernel.org/r/20240608213216.25087-3-olivierdautricourt@gmail.co... Signed-off-by: Vinod Koul vkoul@kernel.org

Conflicts: drivers/dma/altera-msgdma.c [Context conflicts due to a34da7ef9a8c ("dmaengine: altera-msgdma: Correctly handle descriptor callbacks") is not merged.] Signed-off-by: Jinjiang Tu tujinjiang@huawei.com --- drivers/dma/altera-msgdma.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/dma/altera-msgdma.c b/drivers/dma/altera-msgdma.c index 9a841ce5f0c5..d7a16a45a2d8 100644 --- a/drivers/dma/altera-msgdma.c +++ b/drivers/dma/altera-msgdma.c @@ -232,7 +232,7 @@ static void msgdma_free_descriptor(struct msgdma_device *mdev, struct msgdma_sw_desc *child, *next;

mdev->desc_free_cnt++; - list_add_tail(&desc->node, &mdev->free_list); + list_move_tail(&desc->node, &mdev->free_list); list_for_each_entry_safe(child, next, &desc->tx_list, node) { mdev->desc_free_cnt++; list_move_tail(&child->node, &mdev->free_list); @@ -587,8 +587,6 @@ static void msgdma_chan_desc_cleanup(struct msgdma_device *mdev) dma_async_tx_callback callback; void *callback_param;

- list_del(&desc->node); - callback = desc->async_tx.callback; callback_param = desc->async_tx.callback_param; if (callback) {