Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp6029225ybc; Wed, 27 Nov 2019 13:41:43 -0800 (PST) X-Google-Smtp-Source: APXvYqwn4+3f5eajQLtmB4al26uGCizIyY1JcsSTO1DuB5r7Bcj9Z0Bleic+vEgBbVde3OajJpzh X-Received: by 2002:a05:6402:50a:: with SMTP id m10mr29068182edv.47.1574890903007; Wed, 27 Nov 2019 13:41:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574890903; cv=none; d=google.com; s=arc-20160816; b=W3Jtk1PJjkbw4J/XGQnbmx0Y9mBe48KUUS3KtsNR2oPc4qBCtGkCYmkl8K6M2eITTd 2HYxRYNVeixeAEcm5/OYNi2MGFG0Sh+FOlp2l6QImaPQ21Vk4YL+cG860CdR+u54za/A QBCpvWSZMvns8l4w2U/kNE2w0W7DvP2quHX8PbzdkFqPuFKnp4A6Yqo4Ec7RkLtyQOWZ VrbVhUZRDFo5+24y8X6kpMCNJon5TXKaTHnEIguOVYaAtbMB3eh1pokhg+qqllqXNrtG 12tQFXbdKGX0WBi6VeUZ/AsuhUqGzGJvMQbVxFsVZq+yP7GjkxfYl7Ta43sP7l5Q49CU yiWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=v5x5Rn2wPX0XskJ2XDelJAMMMMYiA5bawjlr6XUlyJw=; b=M6kiRs2Fj0fZs4ddsN+95wVu5Z1bEMVQmUFUJGeCtGuBIntQVEzEfioqjfyHzvMnpg FRlCTQdbN9vLiCPTGgtKo8YaexdJR1cuOi5ne/ixs7/BMxQMdngzScN5dVJHzr+LvRkH DUDtwUEIkvBk6mNJnx0tUZL0DfO8cpFvb+OiJlWnfGdLydRE+6BD3rPxhsNSz4Vp1Wqr V5SeCE2xiA15ZnOmWwZgvci3i9FavgCKYz6STkvziDRYV2tOk2Li5vvx4ZsK3zAsZMoK uxtps53eFkwOl+1S56lJDk/jjMeUCSF6palrdTGM3fopGmob6k/Vi3edgaUM8un4zZi7 U7hQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ExVmbEo+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x95si11506689ede.192.2019.11.27.13.41.18; Wed, 27 Nov 2019 13:41:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ExVmbEo+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728490AbfK0VhI (ORCPT + 99 others); Wed, 27 Nov 2019 16:37:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:59994 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729215AbfK0UrS (ORCPT ); Wed, 27 Nov 2019 15:47:18 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E653C21823; Wed, 27 Nov 2019 20:47:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1574887637; bh=XP4W78k7tWdh+OxHKfg/hOgoXSYlnsAKcT0blXHT8RY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ExVmbEo+Elv9B/EkNQA2vo8wemIuPqE73F6PHSHKUW+fL5xPIWVCbEOumkJqUZRkL LYSh39YO8XnYjnn7UVz5tVdFpGJxTS6eIUbg3Q18qG/DCHMFqTrY+B+3R4wHvo1N3L W8kT6N25L680lRaOXu5Lun677umlJPto7/MPNY+c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wenwen Wang , Sasha Levin Subject: [PATCH 4.14 035/211] misc: mic: fix a DMA pool free failure Date: Wed, 27 Nov 2019 21:29:28 +0100 Message-Id: <20191127203055.205259032@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191127203049.431810767@linuxfoundation.org> References: <20191127203049.431810767@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wenwen Wang [ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ] In _scif_prog_signal(), the boolean variable 'x100' is used to indicate whether the MIC Coprocessor is X100. If 'x100' is true, the status descriptor will be used to write the value to the destination. Otherwise, a DMA pool will be allocated for this purpose. Specifically, if the DMA pool is allocated successfully, two memory addresses will be returned. One is for the CPU and the other is for the device to access the DMA pool. The former is stored to the variable 'status' and the latter is stored to the variable 'src'. After the allocation, the address in 'src' is saved to 'status->src_dma_addr', which is actually in the DMA pool, and 'src' is then modified. Later on, if an error occurs, the execution flow will transfer to the label 'dma_fail', which will check 'x100' and free up the allocated DMA pool if 'x100' is false. The point here is that 'status->src_dma_addr' is used for freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in the DMA pool. And thus, the device is able to modify this data. This can potentially cause failures when freeing up the DMA pool because of the modified device address. This patch avoids the above issue by using the variable 'src' (with necessary calculation) to free up the DMA pool. Signed-off-by: Wenwen Wang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/misc/mic/scif/scif_fence.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c index cac3bcc308a7e..7bb929f05d852 100644 --- a/drivers/misc/mic/scif/scif_fence.c +++ b/drivers/misc/mic/scif/scif_fence.c @@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val) dma_fail: if (!x100) dma_pool_free(ep->remote_dev->signal_pool, status, - status->src_dma_addr); + src - offsetof(struct scif_status, val)); alloc_fail: return err; } -- 2.20.1