Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp731422ybc; Sat, 16 Nov 2019 07:43:39 -0800 (PST) X-Google-Smtp-Source: APXvYqz6lBtAXOVUn0/hmPCE9SMWdwXKvB9JclrtUeCuodzMWw8r+G039n5RsZyzeK1UyqjuYsGX X-Received: by 2002:a17:907:206d:: with SMTP id qp13mr10288359ejb.92.1573919019553; Sat, 16 Nov 2019 07:43:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573919019; cv=none; d=google.com; s=arc-20160816; b=u46/aiOmTO4LaGDCKBauLbeHLdPw/FqHaHFOu+8oCv1D+3jtysRL4xi/P4UmF0+4Me nk/Gp8zUFDVJL2I23sA5NLTZyUTNSQ6x3faSM5TY/f4dHG6xMj8hUiXDGpdIjlJcf8Py odYMIM4jnW5sj/cZOL3hKRGAI94SsGRg3JYK5uM/qsAnM7Llw3bVvc7REcaxtmIhUR3O g2OgZlQPzpBrbfbpWVblamYguDvZtcsACUxkrnQ7NmKsqZ/+rhPqC/EFT1AIn4TWL1v+ YIqKV+qTF88M2padqnST90LRx2b0raTdmNLwgtO+MSqc95WQlkkl0jA/Z7IipBn7O/ON eIOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=v5x5Rn2wPX0XskJ2XDelJAMMMMYiA5bawjlr6XUlyJw=; b=kEchiX+RMI7AkXEbm8YBHvrVlaqm3bJiJpiF43Qe/SIikjM+rXkrbeOho/flJCLEd7 eWCK/5bnCCqSeZC0lDhmEFCzPKdUfP/6yLtF1ptQ9IcMLnp/lVBAe1l6yfwM8LAzW1YB 0x6Nvvp4xOqjkzAdEQMnlzQl0Wh1LCy3X4fRxf+U3zDNBXeDhrf9K4Lcvh2WHlPmf1tL Sef88yTKfv7LpTFv8LRrlhZl75/ud9V1ljDXF/n4nSGP8wxN9SCSSr8YUy5xqRVbhljt K07wylbmNNX6H6qIL9MCJ0EZZLOOXZbQXBHEhOp/PGwnkKHBPUey+csLhP53lPNHdRKZ 9t6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nYzMVJm2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x26si8886059eda.404.2019.11.16.07.43.14; Sat, 16 Nov 2019 07:43:39 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nYzMVJm2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728023AbfKPPlu (ORCPT + 99 others); Sat, 16 Nov 2019 10:41:50 -0500 Received: from mail.kernel.org ([198.145.29.99]:45070 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728001AbfKPPlr (ORCPT ); Sat, 16 Nov 2019 10:41:47 -0500 Received: from sasha-vm.mshome.net (unknown [50.234.116.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3EB8720740; Sat, 16 Nov 2019 15:41:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1573918906; bh=XP4W78k7tWdh+OxHKfg/hOgoXSYlnsAKcT0blXHT8RY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=nYzMVJm2bfYsaUA6rgO7kyVIU+A8E0ivRSTG2/ahPCBOSAhNg/qUag1UWA/7WzuMP 0bv0FR5NX5oEK7vSh537IZFKU4Mu+EnMKW1vb5A/jjvi/wnCXvn6V8l7simAtILZTx ZvKLRBhoAhV9Kx3tOaJBLB0SMKWPaGeHJgEUa1ic= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Wenwen Wang , Greg Kroah-Hartman , Sasha Levin Subject: [PATCH AUTOSEL 4.19 031/237] misc: mic: fix a DMA pool free failure Date: Sat, 16 Nov 2019 10:37:46 -0500 Message-Id: <20191116154113.7417-31-sashal@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191116154113.7417-1-sashal@kernel.org> References: <20191116154113.7417-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang [ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ] In _scif_prog_signal(), the boolean variable 'x100' is used to indicate whether the MIC Coprocessor is X100. If 'x100' is true, the status descriptor will be used to write the value to the destination. Otherwise, a DMA pool will be allocated for this purpose. Specifically, if the DMA pool is allocated successfully, two memory addresses will be returned. One is for the CPU and the other is for the device to access the DMA pool. The former is stored to the variable 'status' and the latter is stored to the variable 'src'. After the allocation, the address in 'src' is saved to 'status->src_dma_addr', which is actually in the DMA pool, and 'src' is then modified. Later on, if an error occurs, the execution flow will transfer to the label 'dma_fail', which will check 'x100' and free up the allocated DMA pool if 'x100' is false. The point here is that 'status->src_dma_addr' is used for freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in the DMA pool. And thus, the device is able to modify this data. This can potentially cause failures when freeing up the DMA pool because of the modified device address. This patch avoids the above issue by using the variable 'src' (with necessary calculation) to free up the DMA pool. Signed-off-by: Wenwen Wang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/misc/mic/scif/scif_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c index cac3bcc308a7e..7bb929f05d852 100644 --- a/drivers/misc/mic/scif/scif_fence.c +++ b/drivers/misc/mic/scif/scif_fence.c @@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val) dma_fail: if (!x100) dma_pool_free(ep->remote_dev->signal_pool, status, - status->src_dma_addr); + src - offsetof(struct scif_status, val)); alloc_fail: return err; } -- 2.20.1