Received: by 10.213.65.68 with SMTP id h4csp381770imn; Wed, 21 Mar 2018 22:18:48 -0700 (PDT) X-Google-Smtp-Source: AG47ELuwkjM21jEupbBeOqcv8IlcjOdkKuw/6Sx1b1kLGAr1x54QB+oE/opASGepOweZkulvJ9Uu X-Received: by 10.98.47.70 with SMTP id v67mr19075708pfv.95.1521695928283; Wed, 21 Mar 2018 22:18:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521695928; cv=none; d=google.com; s=arc-20160816; b=VUma3/iS0wzYTYHWE9DQ1gTkaSiR5Y25bwqqHh5Xsurv83jM6TxvCPIzj2AKd+koOq DxA5qKC66+xqD5a4Rs4qvvNntUqVRd4yFN8lBNpO1IYRuuIS33Rk6fO8/qPCRjHnWLLD yjTrcccD3J5+sYixgJVB6QII7wuptKZeJjjHMPjhzpQ3dnl1DN9E7VdU8Q5M+teKaGZy Xz8hbojI+zcVB9RdErhKtvFtCZU2/IqpAa6IECpao1p3VxwL0kyVxHflo6a9fyJQvuoA WvhUbggsl0u+XsAuZ7iSpc98YavHJbu3NK60If7Rpfbmjq25QH2hPEBXSrA+VBGob8w1 2sUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=DvjPTZws9ji1vErojDTo4xXBXaoCwxB1pJS60gXhD+w=; b=SpT0gOvH/S7tISD2ApM6cBRx+RmkszijhzA1FYwUJtHejtXJyvmJcIXJvkNQIOp9mr eD4ldzjyuyrcZUv0cETHDac5cBSyRl4wXiS4EB93BK0AMN47kGviUZckFoILI6adBIAg 5sgNmmH6FxYYmlMSTT9GzxNqoRTTioeTr6E2fVrgd932+t8RdjSbrznWACGV2oJhjC3U i8bY6EV/s/uo8pl80CaIXEO1HRhdNcwZMuerklBk9KJiAnI6k/mIAIaYG5p9nIkiAaGK WFkYwjchB+TGEBcnqG6Jo52wS+45N/Usm0q+nLI5dSFRwW1F5fTnbstySZiabedNdH/v Etsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d16-v6si5686808plj.220.2018.03.21.22.18.33; Wed, 21 Mar 2018 22:18:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752257AbeCVFRo (ORCPT + 99 others); Thu, 22 Mar 2018 01:17:44 -0400 Received: from mga05.intel.com ([192.55.52.43]:28737 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752042AbeCVFRm (ORCPT ); Thu, 22 Mar 2018 01:17:42 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Mar 2018 22:17:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.48,343,1517904000"; d="scan'208";a="35832958" Received: from vkoul-udesk7.iind.intel.com (HELO localhost) ([10.223.84.143]) by FMSMGA003.fm.intel.com with ESMTP; 21 Mar 2018 22:17:40 -0700 Date: Thu, 22 Mar 2018 10:51:50 +0530 From: Vinod Koul To: Pierre-Yves MORDRET Cc: Maxime Coquelin , Alexandre Torgue , Dan Williams , M'boumba Cedric Madianga , dmaengine@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1 1/1] dmaengine: stm32-dmamux: fix a potential buffer overflow Message-ID: <20180322052150.GB15443@localhost> References: <1520960135-26575-1-git-send-email-pierre-yves.mordret@st.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1520960135-26575-1-git-send-email-pierre-yves.mordret@st.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 13, 2018 at 05:55:35PM +0100, Pierre-Yves MORDRET wrote: > The bitfield dma_inuse is allocated of size dma_requests bits, thus a > valid bit address is from 0 to (dma_requests - 1). > When find_first_zero_bit() fails, it returns dma_requests as invalid > address. > Using such address for the following set_bit() is incorrect and, if > dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer > overflow. > Currently this driver is only used in DT stm32h743.dtsi where a safe value > dma_requests=16 is not triggering the buffer overflow. > > Fixed by checking the return value of find_first_zero_bit() _before_ > using it. Applied, thanks -- ~Vinod