| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6159c10a-2f5f-e6ef-7a64-4b613e422efa@mev.co.uk>
Date: Mon, 16 Dec 2019 10:36:28 +0000
From: Ian Abbott <abbotti@....co.uk>
To: Navid Emamdoost <navid.emamdoost@...il.com>,
H Hartley Sweeten <hsweeten@...ionengravers.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org
Cc: emamd001@....edu
Subject: Re: [PATCH] staging: comedi: drivers: Fix memory leak in
gsc_hpdi_auto_attach
On 15/12/2019 01:33, Navid Emamdoost wrote:
> In the implementation of gsc_hpdi_auto_attach(), the allocated dma
> description is leaks in case of alignment error, or failure of
> gsc_hpdi_setup_dma_descriptors() or comedi_alloc_subdevices(). Release
> devpriv->dma_desc via dma_free_coherent().
>
> Signed-off-by: Navid Emamdoost <navid.emamdoost@...il.com>
Actually, there is no memory leak (although there is another problem
that I'll mention below). If the "auto_attach" handler
gsc_hpdi_auto_attach() returns an error, then the "detach" handler
gsc_hpdi_detach() will be called automatically to clean up. (This is
true for all comedi drivers). gsc_hpdi_detach() calls
gsc_hpdi_free_dma() to free the DMA buffers and DMA descriptors.
> ---
> drivers/staging/comedi/drivers/gsc_hpdi.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/staging/comedi/drivers/gsc_hpdi.c b/drivers/staging/comedi/drivers/gsc_hpdi.c
> index 4bdf44d82879..c0c7047a6d1b 100644
> --- a/drivers/staging/comedi/drivers/gsc_hpdi.c
> +++ b/drivers/staging/comedi/drivers/gsc_hpdi.c
> @@ -633,16 +633,17 @@ static int gsc_hpdi_auto_attach(struct comedi_device *dev,
> if (devpriv->dma_desc_phys_addr & 0xf) {
> dev_warn(dev->class_dev,
> " dma descriptors not quad-word aligned (bug)\n");
> - return -EIO;
> + retval = -EIO;
> + goto release_dma_desc;
> }
>
> retval = gsc_hpdi_setup_dma_descriptors(dev, 0x1000);
> if (retval < 0)
> - return retval;
> + goto release_dma_desc;
>
> retval = comedi_alloc_subdevices(dev, 1);
> if (retval)
> - return retval;
> + goto release_dma_desc;
>
> /* Digital I/O subdevice */
> s = &dev->subdevices[0];
> @@ -660,6 +661,15 @@ static int gsc_hpdi_auto_attach(struct comedi_device *dev,
> s->cancel = gsc_hpdi_cancel;
>
> return gsc_hpdi_init(dev);
> +
> +release_dma_desc:
> + if (devpriv->dma_desc)
> + dma_free_coherent(&pcidev->dev,
> + sizeof(struct plx_dma_desc) *
> + NUM_DMA_DESCRIPTORS,
> + devpriv->dma_desc,
> + devpriv->dma_desc_phys_addr);
> + return retval;
> }
>
> static void gsc_hpdi_detach(struct comedi_device *dev)
>
This patch could actually result in devpriv->dma_desc being freed twice
- once in the 'release_dma_desc:' code and again when gsc_hpdi_detach()
is called externally as part of the clean-up.
The real bug in the original code is that it does not check whether any
of the calls to dma_alloc_coherent() returned NULL. If any of the calls
to dma_alloc_coherent() returns NULL, gsc_hpdi_auto_attach() needs to
return an error (-ENOMEM). The subsequent call to gsc_hpdi_detach()
will then free whatever DMA coherent buffers where allocated.
--
-=( Ian Abbott <abbotti@....co.uk> || Web: www.mev.co.uk )=-
-=( MEV Ltd. is a company registered in England & Wales. )=-
-=( Registered number: 02862268. Registered address: )=-
-=( 15 West Park Road, Bramhall, STOCKPORT, SK7 3JZ, UK. )=-
Powered by blists - more mailing lists