lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210611101948.18972-1-tiwai@suse.de>
Date:   Fri, 11 Jun 2021 12:19:48 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Adrian Hunter <adrian.hunter@...el.com>
Cc:     Ulf Hansson <ulf.hansson@...aro.org>, linux-mmc@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH v2] mmc: sdhci: Clear unused bounce buffer at DMA mmap error path

When DMA-mapping of the bounce buffer fails, the driver tries to fall
back, but it leaves the allocated host->bounce_buffer although its
size is zero.  Later on, the driver checks the use of bounce buffer
with host->bounce_buffer pointer, and it tries to use the buffer
incorrectly, resulting in Oops.

This patch clears the release the unused buffer and clears the
bounce_buffer pointer for addressing the problem.

Acked-by: Adrian Hunter <adrian.hunter@...el.com>
Signed-off-by: Takashi Iwai <tiwai@...e.de>
---
v1->v2: correct the device pointer to mmc_dev(mmc)

 drivers/mmc/host/sdhci.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/host/sdhci.c b/drivers/mmc/host/sdhci.c
index bf238ade1602..c80bc6c4ebf3 100644
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -4072,9 +4072,13 @@ static void sdhci_allocate_bounce_buffer(struct sdhci_host *host)
 					   bounce_size,
 					   DMA_BIDIRECTIONAL);
 	ret = dma_mapping_error(mmc_dev(mmc), host->bounce_addr);
-	if (ret)
+	if (ret) {
+		devm_kfree(mmc_dev(mmc), host->bounce_buffer);
+		host->bounce_buffer = NULL;
 		/* Again fall back to max_segs == 1 */
 		return;
+	}
+
 	host->bounce_buffer_size = bounce_size;
 
 	/* Lie about this since we're bouncing */
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ