lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAPDyKFpxSYE9G=Hy61cWmj1fGdfnzqg5DLraD7_o462bZg_oCw@mail.gmail.com>
Date:   Wed, 20 May 2020 17:06:12 +0200
From:   Ulf Hansson <ulf.hansson@...aro.org>
To:     Tomi Valkeinen <tomi.valkeinen@...com>
Cc:     Linux Media Mailing List <linux-media@...r.kernel.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Marek Szyprowski <m.szyprowski@...sung.com>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size

On Wed, 20 May 2020 at 15:16, Tomi Valkeinen <tomi.valkeinen@...com> wrote:
>
> Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: platform:
> Initialize dma_parms for platform devices") in v5.7-rc5 causes
> vb2_dma_contig_clear_max_seg_size() to kfree memory that was not
> allocated by vb2_dma_contig_set_max_seg_size().
>
> The assumption in vb2_dma_contig_set_max_seg_size() seems to be that
> dev->dma_parms is always NULL when the driver is probed, and the case
> where dev->dma_parms has bee initialized by someone else than the driver
> (by calling vb2_dma_contig_set_max_seg_size) will cause a failure.
>
> All the current users of these functions are platform devices, which now
> always have dma_parms set by the driver core. To fix the issue for v5.7,
> make vb2_dma_contig_set_max_seg_size() return an error if dma_parms is
> NULL to be on the safe side, and remove the kfree code from
> vb2_dma_contig_clear_max_seg_size().

Not entirely true I believe, see more below.

>
> For v5.8 we should remove the two functions and move the
> dma_set_max_seg_size() calls into the drivers.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@...com>
> ---
>
> Note: I have only fully tested this on linux-next, as the capture driver
> I use doesn't support unloading modules in v5.7.
>
>  drivers/media/common/videobuf2/videobuf2-dma-contig.c | 7 ++-----
>  1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> index d3a3ee5b597b..24f80b62ef94 100644
> --- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> +++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> @@ -726,9 +726,8 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_memops);
>  int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size)
>  {
>         if (!dev->dma_parms) {
> -               dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL);
> -               if (!dev->dma_parms)
> -                       return -ENOMEM;
> +               dev_err(dev, "Failed to set max_seg_size: dma_parms is NULL\n");
> +               return -ENODEV;
>         }
>         if (dma_get_max_seg_size(dev) < size)
>                 return dma_set_max_seg_size(dev, size);
> @@ -747,8 +746,6 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_set_max_seg_size);
>   */
>  void vb2_dma_contig_clear_max_seg_size(struct device *dev)
>  {
> -       kfree(dev->dma_parms);
> -       dev->dma_parms = NULL;
>  }
>  EXPORT_SYMBOL_GPL(vb2_dma_contig_clear_max_seg_size);

I think you need something along the lines of this as well:

diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c
b/drivers/media/platform/s5p-mfc/s5p_mfc.c
index 5c2a23b953a4..7acf2a03812d 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1070,6 +1070,7 @@ static const struct v4l2_file_operations s5p_mfc_fops = {
 /* DMA memory related helper functions */
 static void s5p_mfc_memdev_release(struct device *dev)
 {
+       kfree(dev->dma_parms);
        of_reserved_mem_device_release(dev);
 }

@@ -1090,6 +1091,10 @@ static struct device
*s5p_mfc_alloc_memdev(struct device *dev,
        child->dma_mask = dev->dma_mask;
        child->release = s5p_mfc_memdev_release;

+       child->dma_parms = kzalloc(sizeof(*child->dma_parms), GFP_KERNEL);
+       if (!child->dma_parms)
+               goto err;
+
        /*
         * The memdevs are not proper OF platform devices, so in order for them
         * to be treated as valid DMA masters we need a bit of a hack to force
@@ -1105,6 +1110,7 @@ static struct device
*s5p_mfc_alloc_memdev(struct device *dev,
                device_del(child);
        }

+err:
        put_device(child);
        return NULL;
 }

Also, please tag the patch for stable.

Kind regards
Uffe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ