From: Greg KH <greg@kroah.com>
To: linux-kernel@vger.kernel.org
Cc: p.zabel@pengutronix.de, stable-commits@vger.kernel.org
Subject: Re: Patch "media: coda: fix memory corruption in case more than 32 instances are opened" has been added to the 4.4-stable tree
Date: Sat, 7 Dec 2019 13:20:29 +0100 [thread overview]
Message-ID: <20191207122029.GA395017@kroah.com> (raw)
In-Reply-To: <20191206212445.379A92467A@mail.kernel.org>
On Fri, Dec 06, 2019 at 04:24:44PM -0500, Sasha Levin wrote:
> This is a note to let you know that I've just added the patch titled
>
> media: coda: fix memory corruption in case more than 32 instances are opened
>
> to the 4.4-stable tree which can be found at:
> http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>
> The filename of the patch is:
> media-coda-fix-memory-corruption-in-case-more-than-3.patch
> and it can be found in the queue-4.4 subdirectory.
>
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
>
>
>
> commit 0aecc2dd80345b10cd6ab210a77b3ecc83ca4bdc
> Author: Philipp Zabel <p.zabel@pengutronix.de>
> Date: Tue Nov 6 05:40:54 2018 -0500
>
> media: coda: fix memory corruption in case more than 32 instances are opened
>
> [ Upstream commit 649cfc2bdfeeb98ff7d8fdff0af3f8fb9c8da50f ]
>
> The ffz() return value is undefined if the instance mask does not
> contain any zeros. If it returned 32, the following set_bit would
> corrupt the debugfs_root pointer.
> Switch to IDA for context index allocation. This also removes the
> artificial 32 instance limit for all except CodaDx6.
>
> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
> Signed-off-by: Hans Verkuil <hansverk@cisco.com>
> Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> diff --git a/drivers/media/platform/coda/coda-common.c b/drivers/media/platform/coda/coda-common.c
> index 323aad3c89de6..154aa7d73a8d2 100644
> --- a/drivers/media/platform/coda/coda-common.c
> +++ b/drivers/media/platform/coda/coda-common.c
> @@ -17,6 +17,7 @@
> #include <linux/firmware.h>
> #include <linux/gcd.h>
> #include <linux/genalloc.h>
> +#include <linux/idr.h>
> #include <linux/interrupt.h>
> #include <linux/io.h>
> #include <linux/irq.h>
> @@ -1644,17 +1645,6 @@ int coda_decoder_queue_init(void *priv, struct vb2_queue *src_vq,
> return coda_queue_init(priv, dst_vq);
> }
>
> -static int coda_next_free_instance(struct coda_dev *dev)
> -{
> - int idx = ffz(dev->instance_mask);
> -
> - if ((idx < 0) ||
> - (dev->devtype->product == CODA_DX6 && idx > CODADX6_MAX_INSTANCES))
> - return -EBUSY;
> -
> - return idx;
> -}
> -
> /*
> * File operations
> */
> @@ -1663,7 +1653,8 @@ static int coda_open(struct file *file)
> {
> struct video_device *vdev = video_devdata(file);
> struct coda_dev *dev = video_get_drvdata(vdev);
> - struct coda_ctx *ctx = NULL;
> + struct coda_ctx *ctx;
> + unsigned int max = ~0;
> char *name;
> int ret;
> int idx;
> @@ -1672,12 +1663,13 @@ static int coda_open(struct file *file)
> if (!ctx)
> return -ENOMEM;
>
> - idx = coda_next_free_instance(dev);
> + if (dev->devtype->product == CODA_DX6)
> + max = CODADX6_MAX_INSTANCES - 1;
> + idx = ida_alloc_max(&dev->ida, max, GFP_KERNEL);
> if (idx < 0) {
> ret = idx;
> goto err_coda_max;
> }
> - set_bit(idx, &dev->instance_mask);
>
> name = kasprintf(GFP_KERNEL, "context%d", idx);
> if (!name) {
> @@ -1771,8 +1763,8 @@ err_clk_per:
> err_pm_get:
> v4l2_fh_del(&ctx->fh);
> v4l2_fh_exit(&ctx->fh);
> - clear_bit(ctx->idx, &dev->instance_mask);
> err_coda_name_init:
> + ida_free(&dev->ida, ctx->idx);
> err_coda_max:
> kfree(ctx);
> return ret;
> @@ -1811,7 +1803,7 @@ static int coda_release(struct file *file)
> pm_runtime_put_sync(&dev->plat_dev->dev);
> v4l2_fh_del(&ctx->fh);
> v4l2_fh_exit(&ctx->fh);
> - clear_bit(ctx->idx, &dev->instance_mask);
> + ida_free(&dev->ida, ctx->idx);
> if (ctx->ops->release)
> ctx->ops->release(ctx);
> debugfs_remove_recursive(ctx->debugfs_entry);
> @@ -2192,6 +2184,7 @@ static int coda_probe(struct platform_device *pdev)
>
> mutex_init(&dev->dev_mutex);
> mutex_init(&dev->coda_mutex);
> + ida_init(&dev->ida);
>
> dev->debugfs_root = debugfs_create_dir("coda", NULL);
> if (!dev->debugfs_root)
> @@ -2276,6 +2269,7 @@ static int coda_remove(struct platform_device *pdev)
> coda_free_aux_buf(dev, &dev->tempbuf);
> coda_free_aux_buf(dev, &dev->workbuf);
> debugfs_remove_recursive(dev->debugfs_root);
> + ida_destroy(&dev->ida);
> return 0;
> }
>
> diff --git a/drivers/media/platform/coda/coda.h b/drivers/media/platform/coda/coda.h
> index 96532b06bd9e1..239f6bb2fca42 100644
> --- a/drivers/media/platform/coda/coda.h
> +++ b/drivers/media/platform/coda/coda.h
> @@ -16,6 +16,7 @@
> #define __CODA_H__
>
> #include <linux/debugfs.h>
> +#include <linux/idr.h>
> #include <linux/irqreturn.h>
> #include <linux/mutex.h>
> #include <linux/kfifo.h>
> @@ -93,7 +94,7 @@ struct coda_dev {
> struct v4l2_m2m_dev *m2m_dev;
> struct vb2_alloc_ctx *alloc_ctx;
> struct list_head instances;
> - unsigned long instance_mask;
> + struct ida ida;
> struct dentry *debugfs_root;
> };
>
This breaks the build in 4.4, 4.9, and 4.14 kernels, so I've dropped it
from there.
parent reply other threads:[~2019-12-07 12:20 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <20191206212445.379A92467A@mail.kernel.org>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191207122029.GA395017@kroah.com \
--to=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=p.zabel@pengutronix.de \
--cc=stable-commits@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.