The bug is here:
pmem->vaddr = NULL;
The list iterator 'pmem' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it will
lead to a invalid memory access.
To fix this bug, just gen_pool_free/set NULL/list_del() and return
when found, otherwise list_del HEAD and return;
Cc: [email protected]
Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Signed-off-by: Xiaomeng Tong <[email protected]>
---
drivers/firmware/stratix10-svc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
index 29c0a616b317..30093aa82b7f 100644
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
{
struct stratix10_svc_data_mem *pmem;
- size_t size = 0;
list_for_each_entry(pmem, &svc_data_mem, node)
if (pmem->vaddr == kaddr) {
- size = pmem->size;
- break;
+ gen_pool_free(chan->ctrl->genpool,
+ (unsigned long)kaddr, pmem->size);
+ pmem->vaddr = NULL;
+ list_del(&pmem->node);
+ return;
}
- gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
- pmem->vaddr = NULL;
- list_del(&pmem->node);
+ list_del(&svc_data_mem);
}
EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
--
2.17.1
On 4/13/22 22:56, Xiaomeng Tong wrote:
> The bug is here:
> pmem->vaddr = NULL;
>
> The list iterator 'pmem' will point to a bogus position containing
> HEAD if the list is empty or no element is found. This case must
> be checked before any use of the iterator, otherwise it will
> lead to a invalid memory access.
>
> To fix this bug, just gen_pool_free/set NULL/list_del() and return
> when found, otherwise list_del HEAD and return;
>
> Cc: [email protected]
> Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
> Signed-off-by: Xiaomeng Tong <[email protected]>
> ---
> drivers/firmware/stratix10-svc.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
> index 29c0a616b317..30093aa82b7f 100644
> --- a/drivers/firmware/stratix10-svc.c
> +++ b/drivers/firmware/stratix10-svc.c
> @@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
> void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
> {
> struct stratix10_svc_data_mem *pmem;
> - size_t size = 0;
>
> list_for_each_entry(pmem, &svc_data_mem, node)
> if (pmem->vaddr == kaddr) {
> - size = pmem->size;
> - break;
> + gen_pool_free(chan->ctrl->genpool,
> + (unsigned long)kaddr, pmem->size);
> + pmem->vaddr = NULL;
> + list_del(&pmem->node);
> + return;
> }
>
> - gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
> - pmem->vaddr = NULL;
> - list_del(&pmem->node);
> + list_del(&svc_data_mem);
> }
> EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
>
Acked-by: Dinh Nguyen <[email protected]>