All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
@ 2019-12-20 13:11 Peter Ujfalusi
  2019-12-20 13:56 ` Ardelean, Alexandru
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Peter Ujfalusi @ 2019-12-20 13:11 UTC (permalink / raw)
  To: vkoul
  Cc: dan.j.williams, dmaengine, linux-kernel, alexandru.ardelean, s.hauer

vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
via already freed up memory.

Move the vchan_vdesc_fini() after invoking the callback to avoid this.

Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
---
 drivers/dma/virt-dma.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
index ec4adf4260a0..256fc662c500 100644
--- a/drivers/dma/virt-dma.c
+++ b/drivers/dma/virt-dma.c
@@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
 		dmaengine_desc_get_callback(&vd->tx, &cb);
 
 		list_del(&vd->node);
-		vchan_vdesc_fini(vd);
-
 		dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
+		vchan_vdesc_fini(vd);
 	}
 }
 
-- 
Peter

Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
  2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
@ 2019-12-20 13:56 ` Ardelean, Alexandru
  2019-12-20 14:01 ` Ardelean, Alexandru
  2019-12-23  7:52 ` Vinod Koul
  2 siblings, 0 replies; 6+ messages in thread
From: Ardelean, Alexandru @ 2019-12-20 13:56 UTC (permalink / raw)
  To: vkoul, peter.ujfalusi; +Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel

On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> [External]
> 
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
> 
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
> 

Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>

> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
> descriptor")
> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
> ---
>  drivers/dma/virt-dma.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
> index ec4adf4260a0..256fc662c500 100644
> --- a/drivers/dma/virt-dma.c
> +++ b/drivers/dma/virt-dma.c
> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
>  		dmaengine_desc_get_callback(&vd->tx, &cb);
>  
>  		list_del(&vd->node);
> -		vchan_vdesc_fini(vd);
> -
>  		dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
> +		vchan_vdesc_fini(vd);
>  	}
>  }
>  

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
  2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
  2019-12-20 13:56 ` Ardelean, Alexandru
@ 2019-12-20 14:01 ` Ardelean, Alexandru
  2019-12-20 14:50   ` Peter Ujfalusi
  2019-12-23  7:52 ` Vinod Koul
  2 siblings, 1 reply; 6+ messages in thread
From: Ardelean, Alexandru @ 2019-12-20 14:01 UTC (permalink / raw)
  To: vkoul, peter.ujfalusi; +Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel

On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> [External]
> 
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
> 
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
> 

Apologies for seeing this too late: typo in title vcna_complete() ->
vchan_complete()


> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
> descriptor")
> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
> ---
>  drivers/dma/virt-dma.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
> index ec4adf4260a0..256fc662c500 100644
> --- a/drivers/dma/virt-dma.c
> +++ b/drivers/dma/virt-dma.c
> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
>  		dmaengine_desc_get_callback(&vd->tx, &cb);
>  
>  		list_del(&vd->node);
> -		vchan_vdesc_fini(vd);
> -
>  		dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
> +		vchan_vdesc_fini(vd);
>  	}
>  }
>  

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
  2019-12-20 14:01 ` Ardelean, Alexandru
@ 2019-12-20 14:50   ` Peter Ujfalusi
  2019-12-23  7:54     ` Vinod Koul
  0 siblings, 1 reply; 6+ messages in thread
From: Peter Ujfalusi @ 2019-12-20 14:50 UTC (permalink / raw)
  To: Ardelean, Alexandru, vkoul
  Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel



On 20/12/2019 16.01, Ardelean, Alexandru wrote:
> On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
>> [External]
>>
>> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
>> via already freed up memory.
>>
>> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
>>
> 
> Apologies for seeing this too late: typo in title vcna_complete() ->
> vchan_complete()

Yep, I also noticed after sending it, I hope Vinod is kind enough and
fix it up when applying ;)

- Péter

>> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
>> descriptor")
>> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
>> ---
>>  drivers/dma/virt-dma.c | 3 +--
>>  1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
>> index ec4adf4260a0..256fc662c500 100644
>> --- a/drivers/dma/virt-dma.c
>> +++ b/drivers/dma/virt-dma.c
>> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
>>  		dmaengine_desc_get_callback(&vd->tx, &cb);
>>  
>>  		list_del(&vd->node);
>> -		vchan_vdesc_fini(vd);
>> -
>>  		dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
>> +		vchan_vdesc_fini(vd);
>>  	}
>>  }
>>  


Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
  2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
  2019-12-20 13:56 ` Ardelean, Alexandru
  2019-12-20 14:01 ` Ardelean, Alexandru
@ 2019-12-23  7:52 ` Vinod Koul
  2 siblings, 0 replies; 6+ messages in thread
From: Vinod Koul @ 2019-12-23  7:52 UTC (permalink / raw)
  To: Peter Ujfalusi
  Cc: dan.j.williams, dmaengine, linux-kernel, alexandru.ardelean, s.hauer

On 20-12-19, 15:11, Peter Ujfalusi wrote:
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
> 
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.

Applied, thanks

-- 
~Vinod

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
  2019-12-20 14:50   ` Peter Ujfalusi
@ 2019-12-23  7:54     ` Vinod Koul
  0 siblings, 0 replies; 6+ messages in thread
From: Vinod Koul @ 2019-12-23  7:54 UTC (permalink / raw)
  To: Peter Ujfalusi
  Cc: Ardelean, Alexandru, dan.j.williams, dmaengine, s.hauer, linux-kernel

On 20-12-19, 16:50, Peter Ujfalusi wrote:
> 
> 
> On 20/12/2019 16.01, Ardelean, Alexandru wrote:
> > On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> >> [External]
> >>
> >> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> >> via already freed up memory.
> >>
> >> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
> >>
> > 
> > Apologies for seeing this too late: typo in title vcna_complete() ->
> > vchan_complete()
> 
> Yep, I also noticed after sending it, I hope Vinod is kind enough and
> fix it up when applying ;)

In case it wasnt clear, yeah trivial changes while applying are no
hassle :)

-- 
~Vinod

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-12-23  7:54 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
2019-12-20 13:56 ` Ardelean, Alexandru
2019-12-20 14:01 ` Ardelean, Alexandru
2019-12-20 14:50   ` Peter Ujfalusi
2019-12-23  7:54     ` Vinod Koul
2019-12-23  7:52 ` Vinod Koul

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.