* [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
@ 2019-12-20 13:11 Peter Ujfalusi
2019-12-20 13:56 ` Ardelean, Alexandru
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Peter Ujfalusi @ 2019-12-20 13:11 UTC (permalink / raw)
To: vkoul
Cc: dan.j.williams, dmaengine, linux-kernel, alexandru.ardelean, s.hauer
vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
via already freed up memory.
Move the vchan_vdesc_fini() after invoking the callback to avoid this.
Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma descriptor")
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
---
drivers/dma/virt-dma.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
index ec4adf4260a0..256fc662c500 100644
--- a/drivers/dma/virt-dma.c
+++ b/drivers/dma/virt-dma.c
@@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
dmaengine_desc_get_callback(&vd->tx, &cb);
list_del(&vd->node);
- vchan_vdesc_fini(vd);
-
dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
+ vchan_vdesc_fini(vd);
}
}
--
Peter
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
@ 2019-12-20 13:56 ` Ardelean, Alexandru
2019-12-20 14:01 ` Ardelean, Alexandru
2019-12-23 7:52 ` Vinod Koul
2 siblings, 0 replies; 6+ messages in thread
From: Ardelean, Alexandru @ 2019-12-20 13:56 UTC (permalink / raw)
To: vkoul, peter.ujfalusi; +Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel
On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> [External]
>
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
>
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
>
Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
> descriptor")
> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
> ---
> drivers/dma/virt-dma.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
> index ec4adf4260a0..256fc662c500 100644
> --- a/drivers/dma/virt-dma.c
> +++ b/drivers/dma/virt-dma.c
> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
> dmaengine_desc_get_callback(&vd->tx, &cb);
>
> list_del(&vd->node);
> - vchan_vdesc_fini(vd);
> -
> dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
> + vchan_vdesc_fini(vd);
> }
> }
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
2019-12-20 13:56 ` Ardelean, Alexandru
@ 2019-12-20 14:01 ` Ardelean, Alexandru
2019-12-20 14:50 ` Peter Ujfalusi
2019-12-23 7:52 ` Vinod Koul
2 siblings, 1 reply; 6+ messages in thread
From: Ardelean, Alexandru @ 2019-12-20 14:01 UTC (permalink / raw)
To: vkoul, peter.ujfalusi; +Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel
On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> [External]
>
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
>
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
>
Apologies for seeing this too late: typo in title vcna_complete() ->
vchan_complete()
> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
> descriptor")
> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
> ---
> drivers/dma/virt-dma.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
> index ec4adf4260a0..256fc662c500 100644
> --- a/drivers/dma/virt-dma.c
> +++ b/drivers/dma/virt-dma.c
> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
> dmaengine_desc_get_callback(&vd->tx, &cb);
>
> list_del(&vd->node);
> - vchan_vdesc_fini(vd);
> -
> dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
> + vchan_vdesc_fini(vd);
> }
> }
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
2019-12-20 14:01 ` Ardelean, Alexandru
@ 2019-12-20 14:50 ` Peter Ujfalusi
2019-12-23 7:54 ` Vinod Koul
0 siblings, 1 reply; 6+ messages in thread
From: Peter Ujfalusi @ 2019-12-20 14:50 UTC (permalink / raw)
To: Ardelean, Alexandru, vkoul
Cc: dan.j.williams, dmaengine, s.hauer, linux-kernel
On 20/12/2019 16.01, Ardelean, Alexandru wrote:
> On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
>> [External]
>>
>> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
>> via already freed up memory.
>>
>> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
>>
>
> Apologies for seeing this too late: typo in title vcna_complete() ->
> vchan_complete()
Yep, I also noticed after sending it, I hope Vinod is kind enough and
fix it up when applying ;)
- Péter
>> Fixes: 09d5b702b0f97 ("dmaengine: virt-dma: store result on dma
>> descriptor")
>> Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
>> ---
>> drivers/dma/virt-dma.c | 3 +--
>> 1 file changed, 1 insertion(+), 2 deletions(-)
>>
>> diff --git a/drivers/dma/virt-dma.c b/drivers/dma/virt-dma.c
>> index ec4adf4260a0..256fc662c500 100644
>> --- a/drivers/dma/virt-dma.c
>> +++ b/drivers/dma/virt-dma.c
>> @@ -104,9 +104,8 @@ static void vchan_complete(unsigned long arg)
>> dmaengine_desc_get_callback(&vd->tx, &cb);
>>
>> list_del(&vd->node);
>> - vchan_vdesc_fini(vd);
>> -
>> dmaengine_desc_callback_invoke(&cb, &vd->tx_result);
>> + vchan_vdesc_fini(vd);
>> }
>> }
>>
Texas Instruments Finland Oy, Porkkalankatu 22, 00180 Helsinki.
Y-tunnus/Business ID: 0615521-4. Kotipaikka/Domicile: Helsinki
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
2019-12-20 13:56 ` Ardelean, Alexandru
2019-12-20 14:01 ` Ardelean, Alexandru
@ 2019-12-23 7:52 ` Vinod Koul
2 siblings, 0 replies; 6+ messages in thread
From: Vinod Koul @ 2019-12-23 7:52 UTC (permalink / raw)
To: Peter Ujfalusi
Cc: dan.j.williams, dmaengine, linux-kernel, alexandru.ardelean, s.hauer
On 20-12-19, 15:11, Peter Ujfalusi wrote:
> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> via already freed up memory.
>
> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
Applied, thanks
--
~Vinod
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete()
2019-12-20 14:50 ` Peter Ujfalusi
@ 2019-12-23 7:54 ` Vinod Koul
0 siblings, 0 replies; 6+ messages in thread
From: Vinod Koul @ 2019-12-23 7:54 UTC (permalink / raw)
To: Peter Ujfalusi
Cc: Ardelean, Alexandru, dan.j.williams, dmaengine, s.hauer, linux-kernel
On 20-12-19, 16:50, Peter Ujfalusi wrote:
>
>
> On 20/12/2019 16.01, Ardelean, Alexandru wrote:
> > On Fri, 2019-12-20 at 15:11 +0200, Peter Ujfalusi wrote:
> >> [External]
> >>
> >> vchan_vdesc_fini() is freeing up 'vd' so the access to vd->tx_result is
> >> via already freed up memory.
> >>
> >> Move the vchan_vdesc_fini() after invoking the callback to avoid this.
> >>
> >
> > Apologies for seeing this too late: typo in title vcna_complete() ->
> > vchan_complete()
>
> Yep, I also noticed after sending it, I hope Vinod is kind enough and
> fix it up when applying ;)
In case it wasnt clear, yeah trivial changes while applying are no
hassle :)
--
~Vinod
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-12-23 7:54 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-20 13:11 [PATCH] dmaengine: virt-dma: Fix access after free in vcna_complete() Peter Ujfalusi
2019-12-20 13:56 ` Ardelean, Alexandru
2019-12-20 14:01 ` Ardelean, Alexandru
2019-12-20 14:50 ` Peter Ujfalusi
2019-12-23 7:54 ` Vinod Koul
2019-12-23 7:52 ` Vinod Koul
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).