lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue,  1 Aug 2017 22:09:26 +0200
From:   Antonio Borneo <borneo.antonio@...il.com>
To:     dmaengine@...r.kernel.org, Vinod Koul <vinod.koul@...el.com>,
        Dan Williams <dan.j.williams@...el.com>
Cc:     Antonio Borneo <borneo.antonio@...il.com>,
        linux-kernel@...r.kernel.org, John Stultz <john.stultz@...aro.org>,
        Zhangfei Gao <zhangfei.gao@...aro.org>
Subject: [PATCH v2 2/3] dmaengine: k3dma: fix double free of descriptor

Commit 36387a2b1f62b5c087c5fe6f0f7b23b94f722ad7 ("k3dma: Fix
memory handling in preparation for cyclic mode") adds code
to free the descriptor in ds_done.

In cyclic mode, ds_done is never used and it's always NULL,
so the added code is not executed.

In non-cyclic mode, ds_done is used as a flag: when not NULL
it signals that the descriptor has been consumed. No need to
free it because it would be free by vchan_complete().

The fix takes back the code changed by the commit above:
- remove the free on the descriptor;
- initialize ds_done to NULL for the next run.

Signed-off-by: Antonio Borneo <borneo.antonio@...il.com>
---
To: dmaengine@...r.kernel.org
To: Vinod Koul <vinod.koul@...el.com>
To: Dan Williams <dan.j.williams@...el.com>
Cc: linux-kernel@...r.kernel.org
Cc: John Stultz <john.stultz@...aro.org>
Cc: Zhangfei Gao <zhangfei.gao@...aro.org>
---
 drivers/dma/k3dma.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/drivers/dma/k3dma.c b/drivers/dma/k3dma.c
index c00eb12..b769623 100644
--- a/drivers/dma/k3dma.c
+++ b/drivers/dma/k3dma.c
@@ -724,11 +724,7 @@ static int k3_dma_terminate_all(struct dma_chan *chan)
 			k3_dma_free_desc(&p->ds_run->vd);
 			p->ds_run = NULL;
 		}
-		if (p->ds_done) {
-			k3_dma_free_desc(&p->ds_done->vd);
-			p->ds_done = NULL;
-		}
-
+		p->ds_done = NULL;
 	}
 	spin_unlock_irqrestore(&c->vc.lock, flags);
 	vchan_dma_desc_free_list(&c->vc, &head);
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ