* Re: [BUG] tty: serial: mxs-auart: possible concurrency use-after-free bugs in mxs_auart_dma_exit_channel() [not found] <8da85649-f539-9c36-a97e-3582844e82fb@gmail.com> @ 2019-01-07 8:52 ` Greg KH 2019-01-07 9:03 ` Jia-Ju Bai 0 siblings, 1 reply; 2+ messages in thread From: Greg KH @ 2019-01-07 8:52 UTC (permalink / raw) To: Jia-Ju Bai; +Cc: jslaby, linux-serial, Linux Kernel Mailing List On Mon, Jan 07, 2019 at 04:47:43PM +0800, Jia-Ju Bai wrote: > The driver functions mxs_auart_settermios(), dma_rx_callback() and dma_tx_callback() can be concurrently executed. > > In Linux 4.19: > > mxs_auart_settermios > mxs_auart_dma_exit > mxs_auart_dma_exit_channel > line 918: kfree(s->tx_dma_buf); > line 919: kfree(s->rx_dma_buf); > > dma_rx_callback > line 862: tty_insert_flip_string(port, s->rx_dma_buf, count); > mxs_auart_dma_prep_rx > line 890: sg_init_one(sgl, s->rx_dma_buf, UART_XMIT_SIZE); > > dma_tx_callback > mxs_auart_tx_chars > line 590: void *buffer = s->tx_dma_buf; > mxs_auart_dma_tx > line 566: sg_init_one(sgl, s->tx_dma_buf, size); > > Thus, possible concurrency use-after-free bugs may occur. > > These possible bugs are found by a static analysis tool written by myself and my manual code review. Care to send a patch to fix up this issue? thanks, greg k-h ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [BUG] tty: serial: mxs-auart: possible concurrency use-after-free bugs in mxs_auart_dma_exit_channel() 2019-01-07 8:52 ` [BUG] tty: serial: mxs-auart: possible concurrency use-after-free bugs in mxs_auart_dma_exit_channel() Greg KH @ 2019-01-07 9:03 ` Jia-Ju Bai 0 siblings, 0 replies; 2+ messages in thread From: Jia-Ju Bai @ 2019-01-07 9:03 UTC (permalink / raw) To: Greg KH; +Cc: jslaby, linux-serial, Linux Kernel Mailing List On 2019/1/7 16:52, Greg KH wrote: > On Mon, Jan 07, 2019 at 04:47:43PM +0800, Jia-Ju Bai wrote: >> The driver functions mxs_auart_settermios(), dma_rx_callback() and dma_tx_callback() can be concurrently executed. >> >> In Linux 4.19: >> >> mxs_auart_settermios >> mxs_auart_dma_exit >> mxs_auart_dma_exit_channel >> line 918: kfree(s->tx_dma_buf); >> line 919: kfree(s->rx_dma_buf); >> >> dma_rx_callback >> line 862: tty_insert_flip_string(port, s->rx_dma_buf, count); >> mxs_auart_dma_prep_rx >> line 890: sg_init_one(sgl, s->rx_dma_buf, UART_XMIT_SIZE); >> >> dma_tx_callback >> mxs_auart_tx_chars >> line 590: void *buffer = s->tx_dma_buf; >> mxs_auart_dma_tx >> line 566: sg_init_one(sgl, s->tx_dma_buf, size); >> >> Thus, possible concurrency use-after-free bugs may occur. >> >> These possible bugs are found by a static analysis tool written by myself and my manual code review. > Care to send a patch to fix up this issue? I would like to, but I do not know how to fix these bugs properly... There is no lock and lock-related function call in drivers/tty/serial/mxs-auart.c. Thus, we may need to introduce a new lock in this source file. What is your opinion? Best wishes, Jia-Ju Bai ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-01-07 9:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <8da85649-f539-9c36-a97e-3582844e82fb@gmail.com>
2019-01-07 8:52 ` [BUG] tty: serial: mxs-auart: possible concurrency use-after-free bugs in mxs_auart_dma_exit_channel() Greg KH
2019-01-07 9:03 ` Jia-Ju Bai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).