Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp6020459ybc; Wed, 27 Nov 2019 13:31:53 -0800 (PST) X-Google-Smtp-Source: APXvYqzxDtDi2dhC4evvf5jdbLQHOOCRVMoFOcPwqmjRkiwOTr60aCMLfKj8xwrWRwCyqyqZ6i6v X-Received: by 2002:aa7:d391:: with SMTP id x17mr34110500edq.43.1574890313315; Wed, 27 Nov 2019 13:31:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574890313; cv=none; d=google.com; s=arc-20160816; b=le1LwxxEu4hD4WDsqiDw4vcACYUzKwLGj6/PJiqKLUDLO35Wr5AucFUwewlcDEehkR UJnkZbqSl9uUMtATLCFZNuLHm69LYc8zkRmRpguAI+CoZciREIZsm3E2H3R+DL2itZ/3 H+7buHeF7kMgwcmQk+ctysT7IP0oQophjPwGpXThRydx299leW7cIqp9fj1F6UVT+Nlr rfnJ56Zuc2YIIMwO4tzynykIUWbDiBi1BRtPdCYS9ma1sPEkthmUhcyEw8ozssepqLaM GBlRbIU3gsmoZ8jFyaOcF9PDp+xIRP9OyQJLsyD2qwjyk1/1IrzKxmIBDZvx7S9KcG5T w5gQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v5x5Rn2wPX0XskJ2XDelJAMMMMYiA5bawjlr6XUlyJw=; b=mp1DEi9dEa9z1CIS7wUk7P/OY5UG/j5A3nlr2DQpsDAj+9AH3x2N8BQ6F+QJ1urYI+ 5FE1plvXFzM/LVSyrwJyGBU9li+K0UoHfsT5zxtZg+6ngcQqqfu5VF6jbPOEoGgprSC7 3SO5COPRTfs6LYTDJ6kugmsnRz8vvhbKdWGrfzAY98b4fFDasmHgvLWuWpIi+ICZQYN0 EGBLNK7umzEei6QYalH2QNGPuSQsJ97zoYk7gCWLsDCQ57uXEJWBwiZ0lvJrJD7T3UT7 STs8BCInqjYAM9JrKTfqQ2DbpI/8iPj0OUjaxCQJ5wgsTjtVUcHE8zqYncfof6Mvdxbz AUxw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lIy09gT0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b27si9904356eje.95.2019.11.27.13.31.30; Wed, 27 Nov 2019 13:31:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lIy09gT0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731188AbfK0U50 (ORCPT + 99 others); Wed, 27 Nov 2019 15:57:26 -0500 Received: from mail.kernel.org ([198.145.29.99]:48356 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731160AbfK0U5V (ORCPT ); Wed, 27 Nov 2019 15:57:21 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 16206217AB; Wed, 27 Nov 2019 20:57:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574888240; bh=XP4W78k7tWdh+OxHKfg/hOgoXSYlnsAKcT0blXHT8RY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lIy09gT0Kd/hpmtGq7LOBHwevkIa0O0itfClQur5v4GBj76BtaOkt0erWoU5tVyek lCUpANb6P7Sz1iNIaESxLKb5Zf3ks+Hd10xsPUIiZ0+zO1zW9BLUe2WL6JC++15U+f jEikFba+0nmWFbXljUmN+pVGZITyR/n/KhwfDhus= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wenwen Wang , Sasha Levin Subject: [PATCH 4.19 051/306] misc: mic: fix a DMA pool free failure Date: Wed, 27 Nov 2019 21:28:21 +0100 Message-Id: <20191127203118.514644607@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127203114.766709977@linuxfoundation.org> References: <20191127203114.766709977@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang [ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ] In _scif_prog_signal(), the boolean variable 'x100' is used to indicate whether the MIC Coprocessor is X100. If 'x100' is true, the status descriptor will be used to write the value to the destination. Otherwise, a DMA pool will be allocated for this purpose. Specifically, if the DMA pool is allocated successfully, two memory addresses will be returned. One is for the CPU and the other is for the device to access the DMA pool. The former is stored to the variable 'status' and the latter is stored to the variable 'src'. After the allocation, the address in 'src' is saved to 'status->src_dma_addr', which is actually in the DMA pool, and 'src' is then modified. Later on, if an error occurs, the execution flow will transfer to the label 'dma_fail', which will check 'x100' and free up the allocated DMA pool if 'x100' is false. The point here is that 'status->src_dma_addr' is used for freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in the DMA pool. And thus, the device is able to modify this data. This can potentially cause failures when freeing up the DMA pool because of the modified device address. This patch avoids the above issue by using the variable 'src' (with necessary calculation) to free up the DMA pool. Signed-off-by: Wenwen Wang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/misc/mic/scif/scif_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c index cac3bcc308a7e..7bb929f05d852 100644 --- a/drivers/misc/mic/scif/scif_fence.c +++ b/drivers/misc/mic/scif/scif_fence.c @@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val) dma_fail: if (!x100) dma_pool_free(ep->remote_dev->signal_pool, status, - status->src_dma_addr); + src - offsetof(struct scif_status, val)); alloc_fail: return err; } -- 2.20.1