Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp308796ybm; Thu, 28 May 2020 03:21:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxoBrpZtMaaigAe7DFeqeIsR3D3wKMnr/tGvjkwRUlpB7uqheaHIFblYqsjordEEfH8MM/f X-Received: by 2002:a17:906:edb5:: with SMTP id sa21mr2312792ejb.78.1590661309485; Thu, 28 May 2020 03:21:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590661309; cv=none; d=google.com; s=arc-20160816; b=XRSd15OLa0CqDfYAj6aA07CmpqaF8ZRQOkF0PwFrBQngW7eCPVk6VGjYcnt5DZ/9VO kCoUIP+gAYXC2n5DxHtorJxgzJ6LrOYWEDDDLmGHIRG6VD0lwydkOv+jgUfZ6AVpPTNv 9oXXMhyX38/yoNd+3XiSrNPk2Hz2LAJHiIgEKIAfAnpyabFUtnWnuNLbCaFxDV/3JL2P HsDwMjfQgIpL1+UHGrytMXEOe7I3dxdEfTqlW1r/V+1PglfcPI/j2xKwz8j+ege9gQ+A nrruzj7wSuFiPT86CPWWvlbF0/vST/0BITX5wx/fI7wYqP1uG4UybGVFm897BZg16UT4 E2Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=f5eLdtnXoyYrMReynJ8g23vP6dcjH2deBArK9MBPsOA=; b=j0Z8Iy/448CxdUsF7Bf3815vi5Uu1GZ1S4oCPgVt77cOhnj74iudPXZBJiLavjZVer +xvwPLOQFG4ds3dbk1aREIpYAcAk0oZmbh6GHrPVCSUU8OlHirKnYGhjrZz/T2eNPBix 1mJOKENfIu48BbTJsD+Y7leYLKxM2+P7NualSakvypn+Lr7l6U2C4nJnqWpPJTCJyYSs o2OgI2LgIt1cDXBJGPBD4GhwhYMAKblx61axTJqFiwzz65uLRzGbLoSocDyerDwkmTsO H2pLJ5qUNSxvncPCrffI84y7qg9kPA/k/RPtc19dOyTgQe5CFNjdhuk2bbvQdadkgW/M 34nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=E0SfhFNx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g11si4017052ejf.82.2020.05.28.03.21.26; Thu, 28 May 2020 03:21:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=E0SfhFNx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387758AbgE1KTm (ORCPT + 99 others); Thu, 28 May 2020 06:19:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387717AbgE1KTh (ORCPT ); Thu, 28 May 2020 06:19:37 -0400 Received: from mail-ua1-x942.google.com (mail-ua1-x942.google.com [IPv6:2607:f8b0:4864:20::942]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 34F9FC08C5C5 for ; Thu, 28 May 2020 03:19:37 -0700 (PDT) Received: by mail-ua1-x942.google.com with SMTP id g7so9460189uap.7 for ; Thu, 28 May 2020 03:19:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f5eLdtnXoyYrMReynJ8g23vP6dcjH2deBArK9MBPsOA=; b=E0SfhFNxQyV6Kh+9tWKDRG4U5sfqRQI5rDSruFXsJJLQLir/rQrwWI5QcOYlJwuQCk Ruo3Kc+DPz+HBMfcM6GbV1XHVkZe0rw+E3qMRvnSVOqNyTHAsbH4p/KTS1HBOOyY9OJ7 gwSQCv7QRvOw0nYZID/1WqcBILuTP0HvtDQukSUUyNfedVG/STJ3rno6I2hz2ReBDWHw TQbImKFmrPZG+EeG4rcQ/ueL0EJitzGg+WJkdcT92NegsshP3LkwQE2Tr6QoLqS0dwdB CnyZcA32OQkkzto7OzjPl15fgpmq/ebuhyHafa6nfguLRUeHUbwTA0LatnSm5j1cLqbG BPYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f5eLdtnXoyYrMReynJ8g23vP6dcjH2deBArK9MBPsOA=; b=iXXfcSyBSOs+drzt22BDwqJF0crGC3Ez0gW1QLLFpguM/f4B5t9ncAQhGzo+dEZiWW WbNCK3Iv+YuXimrVzGZ0gHXgEw9uaqGGV5SU+LGv/KikE7OIeljU7wro/UhOrGoXFpTb 5XN+QAgev0FyQCqr8H1MEUFCOAnP96WXn+amiAgpnYnYU3zQ+gl9miNK5aZxCbl5Ro9E DtkB8VNaokazmBrP8+1VnADJxbwDmzJizIcuKbTsBpwHQvSR2DmjUFXIsM7IHovh3Qp0 vVjkDKfXQvtQSeJeGAypTfAWyJ2VNp++lXHLZ0hUOy0b7cCDqnfSJBhCk7f94a0jAWnW Q4ZQ== X-Gm-Message-State: AOAM530/bS47KNLa63LM+Rz2MO7xlQhLZPWYB1KsWta7qLjwqmhxYhHp jh9qLFmwkmdZQ4gN96V2BP7F62ob483Wto2yw1kNwg== X-Received: by 2002:ab0:70c9:: with SMTP id r9mr1364877ual.15.1590661175270; Thu, 28 May 2020 03:19:35 -0700 (PDT) MIME-Version: 1.0 References: <20200527082334.20774-1-tomi.valkeinen@ti.com> <53acbff5-ccb2-1f26-c1e3-54a540ac537f@samsung.com> In-Reply-To: <53acbff5-ccb2-1f26-c1e3-54a540ac537f@samsung.com> From: Ulf Hansson Date: Thu, 28 May 2020 12:18:59 +0200 Message-ID: Subject: Re: [PATCHv2] media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size To: Marek Szyprowski , Tomi Valkeinen Cc: Linux Media Mailing List , Mauro Carvalho Chehab , LKML , "# 4.0+" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 28 May 2020 at 11:24, Marek Szyprowski wrote: > > Hi Ulf, > > On 28.05.2020 11:14, Ulf Hansson wrote: > > On Wed, 27 May 2020 at 10:23, Tomi Valkeinen wrote: > >> Commit 9495b7e92f716ab2bd6814fab5e97ab4a39adfdd ("driver core: platform: > >> Initialize dma_parms for platform devices") in v5.7-rc5 causes > >> vb2_dma_contig_clear_max_seg_size() to kfree memory that was not > >> allocated by vb2_dma_contig_set_max_seg_size(). > >> > >> The assumption in vb2_dma_contig_set_max_seg_size() seems to be that > >> dev->dma_parms is always NULL when the driver is probed, and the case > >> where dev->dma_parms has bee initialized by someone else than the driver > >> (by calling vb2_dma_contig_set_max_seg_size) will cause a failure. > >> > >> All the current users of these functions are platform devices, which now > >> always have dma_parms set by the driver core. To fix the issue for v5.7, > >> make vb2_dma_contig_set_max_seg_size() return an error if dma_parms is > >> NULL to be on the safe side, and remove the kfree code from > >> vb2_dma_contig_clear_max_seg_size(). > >> > >> For v5.8 we should remove the two functions and move the > >> dma_set_max_seg_size() calls into the drivers. > >> > >> Signed-off-by: Tomi Valkeinen > >> Fixes: 9495b7e92f71 ("driver core: platform: Initialize dma_parms for platform devices") > >> Cc: stable@vger.kernel.org > > Thanks for fixing this! > > > > However, as I tried to point out in v1, don't you need to care about > > drivers/media/platform/s5p-mfc/s5p_mfc.c, which allocates its own type > > of struct device (non-platform). No? > > I will send a patch for the S5P MFC driver separately. It is not so > critical, because the mentioned 2port memory case is not used on any > board with the default exynos_defconfig from mainline. On Exynos4-based > boards it is only used when IOMMU is disabled. It is mainly for > S5PV210/S5PC110 boards, which are still not fully functional after > conversion to device-tree. Okay, makes sense to me. Feel free to add: Reviewed-by: Ulf Hansson For the s5p_mfc issue, here's how I would have done it (just pick the code if you want). diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c index 5c2a23b953a4..7acf2a03812d 100644 --- a/drivers/media/platform/s5p-mfc/s5p_mfc.c +++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c @@ -1070,6 +1070,7 @@ static const struct v4l2_file_operations s5p_mfc_fops = { /* DMA memory related helper functions */ static void s5p_mfc_memdev_release(struct device *dev) { + kfree(dev->dma_parms); of_reserved_mem_device_release(dev); } @@ -1090,6 +1091,10 @@ static struct device *s5p_mfc_alloc_memdev(struct device *dev, child->dma_mask = dev->dma_mask; child->release = s5p_mfc_memdev_release; + child->dma_parms = kzalloc(sizeof(*child->dma_parms), GFP_KERNEL); + if (!child->dma_parms) + goto err; + /* * The memdevs are not proper OF platform devices, so in order for them * to be treated as valid DMA masters we need a bit of a hack to force @@ -1105,6 +1110,7 @@ static struct device *s5p_mfc_alloc_memdev(struct device *dev, device_del(child); } +err: put_device(child); return NULL; } Kind regards Uffe