Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp4495771pxf; Tue, 30 Mar 2021 09:09:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyO+iNjomZgu3dEiwF7weGzgD98c/bvYsiUaJMTd14Cq0k9/ICenFAG/uIDZACWC6peZUVE X-Received: by 2002:a17:907:628a:: with SMTP id nd10mr34243789ejc.326.1617120561799; Tue, 30 Mar 2021 09:09:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617120561; cv=none; d=google.com; s=arc-20160816; b=f0TIJTmelt9NqASaOUoCccgqZ0bX59LPShNT7i6buKN8Qg7w1KLFtRyRPiUNr6xpMC VOiGD6rGABjoawwP6rT0nhvcaEUdmVKnXFV4rnBA8PdgewBPL4AwvPreWFoc+q/gKMxY OCreCTcUWdpCy/s0KpWvFZMOLHUsaCd/x1OEfrI7ZpbA62iA1FwwaM4FNoVn+PDFlvGZ u5h/ZqnYSQ3+/SPkMx+XOLB29uX1WxMWWdp3ZQ18Uz0CxHSq8nFeeoEht+p4PkjSFv/L 9dSTRjTCBEnwflzJndbGNkliVIBZr4j+akSh7jyO8SqaFOs/7AH+ThRxkzBjSRvYOrbB 7xfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:ironport-sdr:ironport-sdr; bh=JFs0hrxys4QwonMGzJoLpZXkaPyJ6aqezCqFBHqMp2o=; b=xoS/F3/CEwvYiOL7paVAXGxYSl4+Ok31lR6Zp5RGAnt3hsOINXfTf4v4FHZGdDXS08 PchkbnDQz3rsdEiO08K50slNbxa1gv6DHsfUWVhGU/CYT1w60QB20Z4FEU+4rGGcffi3 uC86JTXIBRiLDpolgpPJk8vbrpdbzCYrE5dwdCiyNjWcWHTzxAgRUb9oRIUqP69xWQuI 5kg5pTig6/wKrgq/dmfkZUSm5PPHiY0s8X7ImF8nQ4fb/8BkmbV/VjFFBxOGkJtKAQId WUQy0hEMMhsCNabL5By4d6szfbXjgsmZQPEmjSmgQNRE1IL3Zz7Ih9Nlc3yUBy3p0MT0 YRGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i6si15622017edu.313.2021.03.30.09.08.57; Tue, 30 Mar 2021 09:09:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231910AbhC3QFh (ORCPT + 99 others); Tue, 30 Mar 2021 12:05:37 -0400 Received: from mga18.intel.com ([134.134.136.126]:2604 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231928AbhC3QFV (ORCPT ); Tue, 30 Mar 2021 12:05:21 -0400 IronPort-SDR: 4ZtCD2rwaNCVA0YoOClamqIaZ9y6spldNQcvaTuCFMKYcwGogW/XNw06zRYA6qtOvJafyX01w1 /RXUMXcxYNqw== X-IronPort-AV: E=McAfee;i="6000,8403,9939"; a="179338252" X-IronPort-AV: E=Sophos;i="5.81,291,1610438400"; d="scan'208";a="179338252" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Mar 2021 09:05:18 -0700 IronPort-SDR: DVGtRPaN9ETArW4C0/T/tA9GKqtY6BSo1LWZBFiECcgEkGp7Ca0qR5hI5F/Up0gI7CD2HHhFpf 5TSE4MIORYlA== X-IronPort-AV: E=Sophos;i="5.81,291,1610438400"; d="scan'208";a="376886416" Received: from djiang5-mobl1.amr.corp.intel.com (HELO [10.209.140.11]) ([10.209.140.11]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Mar 2021 09:05:16 -0700 Subject: Re: [PATCH] dma: Fix a double free in dma_async_device_register To: Lv Yunlong , vkoul@kernel.org Cc: dmaengine@vger.kernel.org, linux-kernel@vger.kernel.org References: <20210330090149.13476-1-lyl2019@mail.ustc.edu.cn> From: Dave Jiang Message-ID: Date: Tue, 30 Mar 2021 09:05:15 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: <20210330090149.13476-1-lyl2019@mail.ustc.edu.cn> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/30/2021 2:01 AM, Lv Yunlong wrote: > In the first list_for_each_entry() macro of dma_async_device_register, > it gets the chan from list and calls __dma_async_device_channel_register > (..,chan). We can see that chan->local is allocated by alloc_percpu() and > it is freed chan->local by free_percpu(chan->local) when > __dma_async_device_channel_register() failed. > > But after __dma_async_device_channel_register() failed, the caller will > goto err_out and freed the chan->local in the second time by free_percpu(). > > The cause of this problem is forget to set chan->local to NULL when > chan->local was freed in __dma_async_device_channel_register(). My > patch sets chan->local to NULL when the callee failed to avoid double free. Thanks for the fix. I think it would make sense to set it to NULL in __dma_async_device_channel_register() cleanup path after it calls free_percpu(chan->local) right? That would address any other instances of this issue happening else where. > > Fixes: d2fb0a0438384 ("dmaengine: break out channel registration") > Signed-off-by: Lv Yunlong > --- > drivers/dma/dmaengine.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c > index fe6a460c4373..fef64b198c95 100644 > --- a/drivers/dma/dmaengine.c > +++ b/drivers/dma/dmaengine.c > @@ -1249,8 +1249,10 @@ int dma_async_device_register(struct dma_device *device) > /* represent channels in sysfs. Probably want devs too */ > list_for_each_entry(chan, &device->channels, device_node) { > rc = __dma_async_device_channel_register(device, chan); > - if (rc < 0) > + if (rc < 0) { > + chan->local = NULL; > goto err_out; > + } > } > > mutex_lock(&dma_list_mutex);