lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <063afbd8-544c-c8c1-c9a0-4e8fe0d5800a@samsung.com>
Date:   Wed, 20 May 2020 15:30:24 +0200
From:   Marek Szyprowski <m.szyprowski@...sung.com>
To:     Tomi Valkeinen <tomi.valkeinen@...com>,
        Linux Media Mailing List <linux-media@...r.kernel.org>,
        Mauro Carvalho Chehab <mchehab@...nel.org>,
        Ulf Hansson <ulf.hansson@...aro.org>
Cc:     LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] media: videobuf2-dma-contig: fix bad kfree in
 vb2_dma_contig_clear_max_seg_size

Hi Tomi,

On 20.05.2020 15:15, Tomi Valkeinen wrote:
> Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: platform:
> Initialize dma_parms for platform devices") in v5.7-rc5 causes
> vb2_dma_contig_clear_max_seg_size() to kfree memory that was not
> allocated by vb2_dma_contig_set_max_seg_size().
>
> The assumption in vb2_dma_contig_set_max_seg_size() seems to be that
> dev->dma_parms is always NULL when the driver is probed, and the case
> where dev->dma_parms has bee initialized by someone else than the driver
> (by calling vb2_dma_contig_set_max_seg_size) will cause a failure.
>
> All the current users of these functions are platform devices, which now
> always have dma_parms set by the driver core. To fix the issue for v5.7,
> make vb2_dma_contig_set_max_seg_size() return an error if dma_parms is
> NULL to be on the safe side, and remove the kfree code from
> vb2_dma_contig_clear_max_seg_size().
>
> For v5.8 we should remove the two functions and move the
> dma_set_max_seg_size() calls into the drivers.
>
> Signed-off-by: Tomi Valkeinen <tomi.valkeinen@...com>
> ---
>
> Note: I have only fully tested this on linux-next, as the capture driver
> I use doesn't support unloading modules in v5.7.
>
>   drivers/media/common/videobuf2/videobuf2-dma-contig.c | 7 ++-----
>   1 file changed, 2 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/media/common/videobuf2/videobuf2-dma-contig.c b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> index d3a3ee5b597b..24f80b62ef94 100644
> --- a/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> +++ b/drivers/media/common/videobuf2/videobuf2-dma-contig.c
> @@ -726,9 +726,8 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_memops);
>   int vb2_dma_contig_set_max_seg_size(struct device *dev, unsigned int size)
>   {
>   	if (!dev->dma_parms) {
> -		dev->dma_parms = kzalloc(sizeof(*dev->dma_parms), GFP_KERNEL);
> -		if (!dev->dma_parms)
> -			return -ENOMEM;
> +		dev_err(dev, "Failed to set max_seg_size: dma_parms is NULL\n");
> +		return -ENODEV;
>   	}
>   	if (dma_get_max_seg_size(dev) < size)
>   		return dma_set_max_seg_size(dev, size);
> @@ -747,8 +746,6 @@ EXPORT_SYMBOL_GPL(vb2_dma_contig_set_max_seg_size);
>    */
>   void vb2_dma_contig_clear_max_seg_size(struct device *dev)
>   {
> -	kfree(dev->dma_parms);
> -	dev->dma_parms = NULL;
>   }
>   EXPORT_SYMBOL_GPL(vb2_dma_contig_clear_max_seg_size);

We don't need to export empty function imho. It can be made an empty 
static inline in include/media/videobuf2-dma-contig.h.

Best regards
-- 
Marek Szyprowski, PhD
Samsung R&D Institute Poland

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ