[PATCH v2] dmaengine: mcf-edma: Fix a potential un-allocated memory access

[PATCH v2] dmaengine: mcf-edma: Fix a potential un-allocated memory access

[Christophe JAILLET]

When 'mcf_edma' is allocated, some space is allocated for a
flexible array at the end of the struct. 'chans' item are allocated, that is
to say 'pdata->dma_channels'.

Then, this number of item is stored in 'mcf_edma->n_chans'.

A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64
is set.

This ends to no space allocated by devm_kzalloc() because chans was 0, but
64 items are read and/or written in some not allocated memory.

Change the logic to define a default value before allocating the memory.

Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
If I'm correct, then:

   - the default value is hard-coded as 64. There is also a
        #define EDMA_CHANNELS 64
     which maybe could be used, or renamed as EDMA_DEFAULT_CHANNELS

   - mcf_edma_err_handler() looks bogus, because it considers that
     mcf_edma->chans has EDMA_CHANNELS items.
     I guess that something related to mcf_edma->n_chans is what is
     expected, but how should this be done?

Maybe, the EDMA_CHANNELS value should be used all the time?
Maybe, the number of chans should be limited to EDMA_CHANNELS?
Maybe, the number of chans should be at least EDMA_CHANNELS?

Maybe, maybe, maybe, but me, I don't know :(

All I know is that this patch compiles :)
and that it can gives Dan an idea for smatch for checking access to un-allocated
memory related to flexible array :)


v2: I forgot the subject in v1...
---
 drivers/dma/mcf-edma.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/dma/mcf-edma.c b/drivers/dma/mcf-edma.c
index ebd8733f72ad..9413fad08a60 100644
--- a/drivers/dma/mcf-edma.c
+++ b/drivers/dma/mcf-edma.c
@@ -190,7 +190,13 @@ static int mcf_edma_probe(struct platform_device *pdev)
 		return -EINVAL;
 	}
 
-	chans = pdata->dma_channels;
+	if (!pdata->dma_channels) {
+		dev_info(&pdev->dev, "setting default channel number to 64");
+		chans = 64;
+	} else {
+		chans = pdata->dma_channels;
+	}
+
 	len = sizeof(*mcf_edma) + sizeof(*mcf_chan) * chans;
 	mcf_edma = devm_kzalloc(&pdev->dev, len, GFP_KERNEL);
 	if (!mcf_edma)
@@ -202,11 +208,6 @@ static int mcf_edma_probe(struct platform_device *pdev)
 	mcf_edma->drvdata = &mcf_data;
 	mcf_edma->big_endian = 1;
 
-	if (!mcf_edma->n_chans) {
-		dev_info(&pdev->dev, "setting default channel number to 64");
-		mcf_edma->n_chans = 64;
-	}
-
 	mutex_init(&mcf_edma->fsl_edma_mutex);
 
 	mcf_edma->membase = devm_platform_ioremap_resource(pdev, 0);
-- 
2.34.1

Re: [PATCH v2] dmaengine: mcf-edma: Fix a potential un-allocated memory access

[Vinod Koul]

On Sat, 27 May 2023 09:36:31 +0200, Christophe JAILLET wrote:
> When 'mcf_edma' is allocated, some space is allocated for a
> flexible array at the end of the struct. 'chans' item are allocated, that is
> to say 'pdata->dma_channels'.
> 
> Then, this number of item is stored in 'mcf_edma->n_chans'.
> 
> A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64
> is set.
> 
> [...]

Applied, thanks!

[1/1] dmaengine: mcf-edma: Fix a potential un-allocated memory access
      commit: ad5808c58ddceeab43dc68cc10d99f56d143facd

Best regards,
-- 
~Vinod