PCI: endpoint: pci-epf-test: NULL check dma channels before release

kawasaki · intel-lab-lkp · commit b5ecead9cded · 2025-09-16T11:00:29.000+08:00
The fields dma_chan_tx and dma_chan_rx of the struct pci_epf_test can be NULL even after epf initialization. Then it is prudent to check that they have non-NULL values before releasing the channels. Add the checks in pci_epf_test_clean_dma_chan(). Without the checks, NULL pointer dereferences happen and they can lead to a kernel panic in some cases: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000011ab86000 [0000000000000050] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: pci_epf_test zram zsmalloc lzo_compress ramoops reed_solomon nvme_fabrics bridge stp llc usb_f_acm u_serial usb_f_rndis u_ether libcomposite snd_soc_tegra210_admaif snd_soc_tegra186_asrc snd_soc_tegra210_mvc snd_soc_tegra_pcm snd_soc_tegra210_sfc snd_soc_tegra210_ope snd_soc_tegra210_amx snd_soc_tegra210_mixer snd_soc_tegra210_i2s snd_soc_tegra210_adx snd_soc_simple_card_utils tegra_drm snd_soc_tegra210_ahub drm_dp_aux_bus cec snd_hda_codec_hdmi drm_display_helper snd_hda_tegra tegra_xudc drm_client_lib at24 snd_hda_codec drm_kms_helper tegra_se crypto_engine snd_hda_core pwm_tegra tegra_bpmp_thermal tpm_ftpm_tee ina3221 pwm_fan drm fuse ip_tables x_tables ipv6 r8169 CPU: 2 UID: 0 PID: 127 Comm: irq/165-tegra_p Not tainted 6.16.3-tegra+ torvalds#156 PREEMPT Hardware name: NVIDIA NVIDIA Jetson Orin Nano Developer Kit/Jetson, BIOS 36.4.4-gcid-41062509 06/16/2025 pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : dma_release_channel+0x2c/0x120 lr : dma_release_channel+0x2c/0x120 sp : ffff80008197bc90 x29: ffff80008197bc90 x28: ffffc80c867353d0 x27: ffffc80c867320b0 x26: ffff000089598680 x25: ffff000092bbca00 x24: ffff0000896075a0 x23: ffff000089547308 x22: ffff000089547000 x21: ffff00009e14f800 x20: ffffc80c88d18f50 x19: 0000000000000000 x18: 0000000000000000 x17: ffff00008082bba0 x16: ffffc80c86fa1da8 x15: 0000000000000022 x14: 0000000000000002 x13: 0000029f4ce9442c x12: 00000000000a8cc1 x11: 0000000000000040 x10: ffffc80c88a06c60 x9 : ffffc80c86fa1dd4 x8 : ffff0000804036e8 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffff0000804036c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : ffff000092bbca00 x1 : 0000000000000000 x0 : ffffc80c88d18f50 Call trace: dma_release_channel+0x2c/0x120 (P) pci_epf_test_epc_deinit+0x94/0xc0 [pci_epf_test] pci_epc_deinit_notify+0x74/0xc0 tegra_pcie_ep_pex_rst_irq+0x250/0x5d8 irq_thread_fn+0x34/0xb8 irq_thread+0x18c/0x2e8 kthread+0x14c/0x210 ret_from_fork+0x10/0x20 Code: f000ebb4 913d4294 aa1403e0 942ac552 (b940526) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops: Fatal exception Fixes: 8353813 ("PCI: endpoint: Enable DMA tests for endpoints with DMA capabilities") Fixes: 5ebf3fc ("PCI: endpoint: functions/pci-epf-test: Add DMA support to transfer data") Cc: stable@vger.kernel.org Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com> Reviewed-by: Damien Le Moal <dlemoal@kernel.org> Reviewed-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -301,15 +301,20 @@ static void pci_epf_test_clean_dma_chan(struct pci_epf_test *epf_test)
 	if (!epf_test->dma_supported)
 		return;
 
-	dma_release_channel(epf_test->dma_chan_tx);
-	if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) {
+	if (epf_test->dma_chan_tx) {
+		dma_release_channel(epf_test->dma_chan_tx);
+		if (epf_test->dma_chan_tx == epf_test->dma_chan_rx) {
+			epf_test->dma_chan_tx = NULL;
+			epf_test->dma_chan_rx = NULL;
+			return;
+		}
 		epf_test->dma_chan_tx = NULL;
-		epf_test->dma_chan_rx = NULL;
-		return;
 	}
 
-	dma_release_channel(epf_test->dma_chan_rx);
-	epf_test->dma_chan_rx = NULL;
+	if (epf_test->dma_chan_rx) {
+		dma_release_channel(epf_test->dma_chan_rx);
+		epf_test->dma_chan_rx = NULL;
+	}
 }
 
 static void pci_epf_test_print_rate(struct pci_epf_test *epf_test,
