Commit e1c98661 authored Jan 06, 2026 by Tuo Li Committed by Vinod Koul Mar 09, 2026

dmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()



At the end of this function, d is the traversal cursor of flist, but the
code completes found instead. This can lead to issues such as NULL pointer
dereferences, double completion, or descriptor leaks.

Fix this by completing d instead of found in the final
list_for_each_entry_safe() loop.

Fixes: aa8d18be ("dmaengine: idxd: add callback support for iaa crypto")
Signed-off-by: Tuo Li <islituo@gmail.com>
Reviewed-by: Dave Jiang <dave.jiang@intel.com>
Link: https://patch.msgid.link/20260106032428.162445-1-islituo@gmail.com


Signed-off-by: Vinod Koul <vkoul@kernel.org>

parent e0adbf74

drivers/dma/idxd/submit.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -138,7 +138,7 @@ static void llist_abort_desc(struct idxd_wq wq, struct idxd_irq_entry ie,
		*/
		list_for_each_entry_safe(d, t, &flist, list) {
		list_del_init(&d->list);
		idxd_dma_complete_txd(found, IDXD_COMPLETE_ABORT, true,
		idxd_dma_complete_txd(d, IDXD_COMPLETE_ABORT, true,
		NULL, NULL);
		}
		}