| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Jun 2021 22:30:58 +0200
From: Arnd Bergmann <arnd@...db.de>
To: Jernej Skrabec <jernej.skrabec@...il.com>
Cc: pizza@...ftnet.org, Ulf Hansson <ulf.hansson@...aro.org>,
Kalle Valo <kvalo@...eaurora.org>,
David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
linux-wireless <linux-wireless@...r.kernel.org>,
Networking <netdev@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH] cw1200: use kmalloc() allocation instead of stack
On Tue, Jun 22, 2021 at 10:24 PM Jernej Skrabec
<jernej.skrabec@...il.com> wrote:
>
> It turns out that if CONFIG_VMAP_STACK is enabled and src or dst is
> memory allocated on stack, SDIO operations fail due to invalid memory
> address conversion:
Thank you for sending this!
It's worth pointing out that even without CONFIG_VMAP_STACK, using
dma_map_sg() on a stack variable is broken, though it will appear to
work most of the time but rarely cause a stack data corruption when
the cache management goes wrong.
This clearly needs to be fixed somewhere, if not with your patch, then
a similar one.
> diff --git a/drivers/net/wireless/st/cw1200/hwio.c b/drivers/net/wireless/st/cw1200/hwio.c
> index 3ba462de8e91..5521cb7f2233 100644
> --- a/drivers/net/wireless/st/cw1200/hwio.c
> +++ b/drivers/net/wireless/st/cw1200/hwio.c
> @@ -66,33 +66,65 @@ static int __cw1200_reg_write(struct cw1200_common *priv, u16 addr,
> static inline int __cw1200_reg_read_32(struct cw1200_common *priv,
> u16 addr, u32 *val)
> {
> - __le32 tmp;
> - int i = __cw1200_reg_read(priv, addr, &tmp, sizeof(tmp), 0);
> - *val = le32_to_cpu(tmp);
> + __le32 *tmp;
> + int i;
> +
> + tmp = kmalloc(sizeof(*tmp), GFP_KERNEL);
> + if (!tmp)
> + return -ENOMEM;
> +
> + i = __cw1200_reg_read(priv, addr, tmp, sizeof(*tmp), 0);
> + *val = le32_to_cpu(*tmp);
> + kfree(tmp);
> return i;
> }
There is a possible problem here when the function gets called from
atomic context, so it might need to use GFP_ATOMIC instead of
GFP_KERNEL. If it's never called from atomic context, then this patch
looks correct to me.
The alternative would be to add a bounce buffer check based on
is_vmalloc_or_module_addr() in sdio_io_rw_ext_helper(), which would
add a small bit of complexity there but solve the problem for
all drivers at once. In this case, it would probably have to use
GFP_ATOMIC regardless of whether __cw1200_reg_read_32()
is allowed to sleep, since other callers might not.
Arnd
Powered by blists - more mailing lists