system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-02 01:10:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/dma
History
Guillaume Ranquet 0a2ff58f9f dmaengine: mediatek: free the proper desc in desc_free handler 
The desc_free handler assumed that the desc we want to free was always
 the current one associated with the channel.

This is seldom the case and this is causing use after free crashes in
 multiple places (tx/rx/terminate...).

  BUG: KASAN: use-after-free in mtk_uart_apdma_rx_handler+0x120/0x304

  Call trace:
   dump_backtrace+0x0/0x1b0
   show_stack+0x24/0x34
   dump_stack+0xe0/0x150
   print_address_description+0x8c/0x55c
   __kasan_report+0x1b8/0x218
   kasan_report+0x14/0x20
   __asan_load4+0x98/0x9c
   mtk_uart_apdma_rx_handler+0x120/0x304
   mtk_uart_apdma_irq_handler+0x50/0x80
   __handle_irq_event_percpu+0xe0/0x210
   handle_irq_event+0x8c/0x184
   handle_fasteoi_irq+0x1d8/0x3ac
   __handle_domain_irq+0xb0/0x110
   gic_handle_irq+0x50/0xb8
   el0_irq_naked+0x60/0x6c

  Allocated by task 3541:
   __kasan_kmalloc+0xf0/0x1b0
   kasan_kmalloc+0x10/0x1c
   kmem_cache_alloc_trace+0x90/0x2dc
   mtk_uart_apdma_prep_slave_sg+0x6c/0x1a0
   mtk8250_dma_rx_complete+0x220/0x2e4
   vchan_complete+0x290/0x340
   tasklet_action_common+0x220/0x298
   tasklet_action+0x28/0x34
   __do_softirq+0x158/0x35c

  Freed by task 3541:
   __kasan_slab_free+0x154/0x224
   kasan_slab_free+0x14/0x24
   slab_free_freelist_hook+0xf8/0x15c
   kfree+0xb4/0x278
   mtk_uart_apdma_desc_free+0x34/0x44
   vchan_complete+0x1bc/0x340
   tasklet_action_common+0x220/0x298
   tasklet_action+0x28/0x34
   __do_softirq+0x158/0x35c

  The buggy address belongs to the object at ffff000063606800
   which belongs to the cache kmalloc-256 of size 256
  The buggy address is located 176 bytes inside of
   256-byte region [ffff000063606800, ffff000063606900)
  The buggy address belongs to the page:
  page:fffffe00016d8180 refcount:1 mapcount:0 mapping:ffff00000302f600 index:0x0 compound_mapcount: 0
  flags: 0xffff00000010200(slab|head)
  raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00000302f600
  raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
  page dumped because: kasan: bad access detected

Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>

Link: https://lore.kernel.org/r/20210513192642.29446-2-granquet@baylibre.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
2021-06-07 12:23:47 +05:30
..
bestcomm treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
dw dmaengine: dw: Make it dependent to HAS_IOMEM 2021-04-12 14:54:45 +05:30
dw-axi-dmac dmaengine: dw-axi-dmac: remove redundant null check on desc 2021-02-08 17:39:39 +05:30
dw-edma dmaengine: dw-edma: Add pcim_iomap_table return check 2021-03-16 22:58:54 +05:30
fsl-dpaa2-qdma dmaengine: fsl-dpaa2-qdma: Fix error return code in two functions 2021-05-10 21:34:49 +05:30
hsu dmaengine: hsu: disable spurious interrupt 2021-01-13 22:01:34 +05:30
idxd dmaengine: idxd: Fix missing error code in idxd_cdev_open() 2021-06-03 12:28:37 +05:30
ioat dmaengine: ioatdma: remove unused function missed during dma_v2 removal 2020-11-16 22:42:28 +05:30
ipu dmaengine: ipu: fix doc warning in ipu_irq.c 2021-06-03 18:17:26 +05:30
lgm dmaengine: INTEL_LDMA should depend on X86 2021-02-01 11:27:14 +05:30
mediatek dmaengine: mediatek: free the proper desc in desc_free handler 2021-06-07 12:23:47 +05:30
ppc4xx dmaengine: ppc4xx: remove xor_hw_desc assignment without reading 2020-10-30 14:10:27 +05:30
qcom dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM 2021-05-31 09:44:14 +05:30
sf-pdma dmaengine: SF_PDMA depends on HAS_IOMEM 2021-05-31 09:44:14 +05:30
sh dmaengine: rcar-dmac: Fix PM reference leak in rcar_dmac_probe() 2021-06-03 16:37:37 +05:30
ti dmaengine updates for v5.12-rc1 2021-02-23 15:05:10 -08:00
xilinx dmaengine: xilinx: dpdma: Limit descriptor IDs to 16 bits 2021-05-31 09:37:17 +05:30
acpi-dma.c dmaengine: acpi: Put the CSRT table after using it 2020-08-17 10:21:37 +05:30
altera-msgdma.c dmaengine: altera-msgdma: fix kernel-doc style for tasklet 2020-10-08 15:18:37 +05:30
amba-pl08x.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
at_hdmac.c dmaengine: at_hdmac: remove platform data header 2021-01-08 13:57:19 +05:30
at_hdmac_regs.h dmaengine: at_hdmac: remove platform data header 2021-01-08 13:57:19 +05:30
at_xdmac.c dmaengine: at_xdmac: Remove unused inline function at_xdmac_csize() 2021-04-20 16:02:19 +05:30
bcm-sba-raid.c dmaengine: bcm-sba-raid: Replace zero-length array with flexible-array member 2020-02-13 20:15:35 +05:30
bcm2835-dma.c dmaengine: bcm2835: Drop local dma_parms 2020-09-11 17:42:12 +05:30
dma-axi-dmac.c dmaengine: axi-dmac: Drop local dma_parms 2020-09-11 17:42:12 +05:30
dma-jz4780.c dmaengine: jz4780: Add support for the JZ4760(B) 2021-01-26 22:45:22 +05:30
dmaengine.c dmaengine: Fix a double free in dma_async_device_register 2021-04-12 15:05:58 +05:30
dmaengine.h dmaengine: Create debug directories for DMA devices 2020-03-11 14:56:14 +05:30
dmatest.c dmaengine: dmatest: Use dmaengine_get_dma_device 2020-12-11 21:20:08 +05:30
ep93xx_dma.c dmaengine: ep93xx: convert tasklets to use new tasklet_setup() API 2020-09-18 12:18:11 +05:30
fsl-edma-common.c dmaengine: fsl-edma: fix wrong tcd endianness for big-endian cpu 2020-07-06 14:49:22 +05:30
fsl-edma-common.h dmaengine: fsl-edma-common: correct DSIZE_32BYTE 2020-07-06 10:24:49 +05:30
fsl-edma.c dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler 2020-06-24 13:05:01 +05:30
fsl-qdma.c dmaengine: Extend NXP QDMA driver to check transmission errors 2020-07-17 11:50:03 +05:30
fsl_raid.c dmaengine: fsl: remove bad channel update 2020-10-05 09:59:17 +05:30
fsl_raid.h
fsldma.c dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function 2021-01-12 18:00:39 +05:30
fsldma.h fsldma: fix very broken 32-bit ppc ioread64 functionality 2020-08-29 13:50:56 -07:00
hisi_dma.c dmaengine: hisi_dma: remove redundant irqsave and irqrestore in hardIRQ 2020-11-09 17:25:54 +05:30
idma64.c dmaengine: idma64: Switch to use __maybe_unused instead of ifdeffery 2020-11-09 17:21:05 +05:30
idma64.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
img-mdc-dma.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 422 2019-06-05 17:37:15 +02:00
imx-dma.c dmaengine: imx-dma: Remove unused .id_table 2020-11-24 22:55:07 +05:30
imx-sdma.c dmaengine: imx-sdma: Use of_device_get_match_data() 2021-01-26 22:42:48 +05:30
iop-adma.c Merge branch 'topic/tasklet' into next 2020-10-01 10:18:59 +05:30
iop-adma.h treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
k3dma.c dmaengine: k3dma: use the correct HiSilicon copyright 2021-04-12 17:14:53 +05:30
Kconfig dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM 2021-05-31 09:44:14 +05:30
lpc18xx-dmamux.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
Makefile dmaengine: remove coh901318 driver 2021-01-26 22:55:32 +05:30
mcf-edma.c dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler 2020-06-24 13:06:15 +05:30
milbeaut-hdmac.c dmaengine: Replace zero-length array with flexible-array 2020-06-15 23:08:30 -05:00
milbeaut-xdmac.c dmaengine: milbeaut-xdmac: Fix a resource leak in the error handling path of the probe function 2020-12-29 10:08:00 +05:30
mmp_pdma.c dmaengine: mmp_pdma: Remove mmp_pdma_filter_fn() 2021-01-26 22:58:01 +05:30
mmp_tdma.c dmaengine: mmp: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:06 +05:30
moxart-dma.c dmaengine: moxart-dma: remove redundant irqsave and irqrestore in hardIRQ 2020-11-09 17:25:54 +05:30
mpc512x_dma.c dmaengine: mpc512x: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:06 +05:30
mv_xor.c dmaengine: mv_xor: drop of_match_ptr from of_device_id table 2020-11-24 23:02:20 +05:30
mv_xor.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
mv_xor_v2.c dmaengine: mv_xor_v2: Fix error return code in mv_xor_v2_probe() 2020-11-24 22:55:15 +05:30
mxs-dma.c dmaengine: mxs-dma: Remove the unused .id_table 2020-11-24 22:55:15 +05:30
nbpfaxi.c dmaengine: nbpfaxi: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:06 +05:30
of-dma.c dmaengine: of-dma: Add support for optional router configuration callback 2020-12-11 21:20:08 +05:30
owl-dma.c dmaengine: owl-dma: Fix a resource leak in the remove function 2021-01-12 18:00:40 +05:30
pch_dma.c dmaengine: pch_dma: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:06 +05:30
pl330.c dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc 2021-05-10 21:38:46 +05:30
plx_dma.c dmaengine: plx_dma: add a missing put_device() on error path 2021-04-12 15:13:51 +05:30
pxa_dma.c dmaengine: pxa_dma: remove redundant irqsave and irqrestore in hardIRQ 2020-11-09 17:25:54 +05:30
s3c24xx-dma.c dmaengine: s3c24xx-dma: fix spelling mistake "to" -> "too" 2020-01-23 17:03:25 +05:30
sa11x0-dma.c dmaengine: sa11x0: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:07 +05:30
sprd-dma.c dmaengine: sprd: Set request pending flag when DMA controller is active 2020-03-23 11:38:24 +05:30
st_fdma.c iov_iter: Move unnecessary inclusion of crypto/hash.h 2020-06-30 09:34:23 -04:00
st_fdma.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ste_dma40.c dmaengine: stedma40: add missing iounmap() on error in d40_probe() 2021-05-31 09:47:27 +05:30
ste_dma40_ll.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 194 2019-05-30 11:29:22 -07:00
ste_dma40_ll.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 194 2019-05-30 11:29:22 -07:00
stm32-dma.c dmaengine: stm32-dma: take address into account when computing max width 2020-12-11 21:13:08 +05:30
stm32-dmamux.c dmaengine: stm32: mark of_device_id table as maybe unused 2020-11-24 23:02:20 +05:30
stm32-mdma.c dmaengine: stm32-mdma: fix PM reference leak in stm32_mdma_alloc_chan_resourc() 2021-05-31 09:33:09 +05:30
sun4i-dma.c dmaengine: sun4i-dma: Demote obvious misuse of kerneldoc to standard comment blocks 2020-07-15 17:50:47 +05:30
sun6i-dma.c dmaengine: sun6i: Add support for A100 DMA 2020-11-18 16:28:49 +05:30
tegra20-apb-dma.c dmaengine: tegra20: Fix runtime PM imbalance on error 2021-04-12 15:10:44 +05:30
tegra210-adma.c dmaengine: tegra210-adma: remove redundant irqsave and irqrestore in hardIRQ 2020-11-09 17:25:54 +05:30
timb_dma.c dmaengine: timb_dma: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:07 +05:30
TODO
txx9dmac.c dmaengine: txx9dmac: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:07 +05:30
txx9dmac.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
uniphier-mdmac.c dmaengine: uniphier-mdmac: replace zero-length array with flexible-array member 2020-02-13 20:15:57 +05:30
uniphier-xdmac.c iov_iter: Move unnecessary inclusion of crypto/hash.h 2020-06-30 09:34:23 -04:00
virt-dma.c dmaengine: virt-dma: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:07 +05:30
virt-dma.h dmaengine: virt-dma: Add missing locking around list operations 2019-12-26 10:04:18 +05:30
xgene-dma.c dmaengine: xgene: convert tasklets to use new tasklet_setup() API 2020-09-18 12:19:07 +05:30