| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <555C6F38.50603@nvidia.com>
Date: Wed, 20 May 2015 12:25:44 +0100
From: Jon Hunter <jonathanh@...dia.com>
To: Alexandre Courbot <acourbot@...dia.com>,
Laxman Dewangan <ldewangan@...dia.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Jiri Slaby" <jslaby@...e.cz>
CC: <linux-serial@...r.kernel.org>, <linux-tegra@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] serial: tegra: Fix memory leak on DMA setup failure
On 20/05/15 12:21, Jon Hunter wrote:
> If the call to dmaengine_slave_config() fails, then the DMA buffer will
> not be freed/unmapped. Fix this by moving the code that stores the
> address of the buffer in the tegra_uart_port structure to before the
> call to dmaengine_slave_config().
By the way, just to be clear, I did try to fix this before [1], but
failed :-(
Thanks to Alex for pointing this out.
Cheers
Jon
[1] https://lkml.org/lkml/2015/5/5/802
> Reported-by: Alexandre Courbot <acourbot@...dia.com>
> Signed-off-by: Jon Hunter <jonathanh@...dia.com>
> ---
> drivers/tty/serial/serial-tegra.c | 32 +++++++++++---------------------
> 1 file changed, 11 insertions(+), 21 deletions(-)
>
> diff --git a/drivers/tty/serial/serial-tegra.c b/drivers/tty/serial/serial-tegra.c
> index 3b63f103f0c9..cf0133ae762d 100644
> --- a/drivers/tty/serial/serial-tegra.c
> +++ b/drivers/tty/serial/serial-tegra.c
> @@ -999,6 +999,12 @@ static int tegra_uart_dma_channel_allocate(struct tegra_uart_port *tup,
> dma_release_channel(dma_chan);
> return -ENOMEM;
> }
> + dma_sconfig.src_addr = tup->uport.mapbase;
> + dma_sconfig.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
> + dma_sconfig.src_maxburst = 4;
> + tup->rx_dma_chan = dma_chan;
> + tup->rx_dma_buf_virt = dma_buf;
> + tup->rx_dma_buf_phys = dma_phys;
> } else {
> dma_phys = dma_map_single(tup->uport.dev,
> tup->uport.state->xmit.buf, UART_XMIT_SIZE,
> @@ -1009,39 +1015,23 @@ static int tegra_uart_dma_channel_allocate(struct tegra_uart_port *tup,
> return -ENOMEM;
> }
> dma_buf = tup->uport.state->xmit.buf;
> - }
> -
> - if (dma_to_memory) {
> - dma_sconfig.src_addr = tup->uport.mapbase;
> - dma_sconfig.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
> - dma_sconfig.src_maxburst = 4;
> - } else {
> dma_sconfig.dst_addr = tup->uport.mapbase;
> dma_sconfig.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
> dma_sconfig.dst_maxburst = 16;
> + tup->tx_dma_chan = dma_chan;
> + tup->tx_dma_buf_virt = dma_buf;
> + tup->tx_dma_buf_phys = dma_phys;
> }
>
> ret = dmaengine_slave_config(dma_chan, &dma_sconfig);
> if (ret < 0) {
> dev_err(tup->uport.dev,
> "Dma slave config failed, err = %d\n", ret);
> - goto scrub;
> + tegra_uart_dma_channel_free(tup, dma_to_memory);
> + return ret;
> }
>
> - if (dma_to_memory) {
> - tup->rx_dma_chan = dma_chan;
> - tup->rx_dma_buf_virt = dma_buf;
> - tup->rx_dma_buf_phys = dma_phys;
> - } else {
> - tup->tx_dma_chan = dma_chan;
> - tup->tx_dma_buf_virt = dma_buf;
> - tup->tx_dma_buf_phys = dma_phys;
> - }
> return 0;
> -
> -scrub:
> - tegra_uart_dma_channel_free(tup, dma_to_memory);
> - return ret;
> }
>
> static int tegra_uart_startup(struct uart_port *u)
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists