* [PATCH] b43: Fix possible NULL pointer dereference in DMA code
@ 2008-06-12 9:58 Michael Buesch
2008-06-12 11:03 ` Vegard Nossum
0 siblings, 1 reply; 2+ messages in thread
From: Michael Buesch @ 2008-06-12 9:58 UTC (permalink / raw)
To: John Linville
Cc: bcm43xx-dev, linux-wireless, FUJITA Tomonori, vegard.nossum,
miles.lane, akpm
This fixes a possible NULL pointer dereference in an error path of the
DMA allocation error checking code. This is also necessary for a future
DMA API change that is on its way into the mainline kernel that adds
an additional dev parameter to dma_mapping_error().
This patch moves the whole struct b43_dmaring struct initialization
right before any DMA allocation operation.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
---
John, this is a bugfix for 2.6.26
Index: wireless-testing/drivers/net/wireless/b43/dma.c
===================================================================
--- wireless-testing.orig/drivers/net/wireless/b43/dma.c 2008-06-12 11:49:24.000000000 +0200
+++ wireless-testing/drivers/net/wireless/b43/dma.c 2008-06-12 11:50:10.000000000 +0200
@@ -792,30 +792,55 @@ struct b43_dmaring *b43_setup_dmaring(st
int controller_index,
int for_tx,
enum b43_dmatype type)
{
struct b43_dmaring *ring;
int err;
- int nr_slots;
dma_addr_t dma_test;
ring = kzalloc(sizeof(*ring), GFP_KERNEL);
if (!ring)
goto out;
- ring->type = type;
- nr_slots = B43_RXRING_SLOTS;
+ ring->nr_slots = B43_RXRING_SLOTS;
if (for_tx)
- nr_slots = B43_TXRING_SLOTS;
+ ring->nr_slots = B43_TXRING_SLOTS;
- ring->meta = kcalloc(nr_slots, sizeof(struct b43_dmadesc_meta),
+ ring->meta = kcalloc(ring->nr_slots, sizeof(struct b43_dmadesc_meta),
GFP_KERNEL);
if (!ring->meta)
goto err_kfree_ring;
+
+ ring->type = type;
+ ring->dev = dev;
+ ring->mmio_base = b43_dmacontroller_base(type, controller_index);
+ ring->index = controller_index;
+ if (type == B43_DMA_64BIT)
+ ring->ops = &dma64_ops;
+ else
+ ring->ops = &dma32_ops;
if (for_tx) {
- ring->txhdr_cache = kcalloc(nr_slots,
+ ring->tx = 1;
+ ring->current_slot = -1;
+ } else {
+ if (ring->index == 0) {
+ ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE;
+ ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET;
+ } else if (ring->index == 3) {
+ ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE;
+ ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET;
+ } else
+ B43_WARN_ON(1);
+ }
+ spin_lock_init(&ring->lock);
+#ifdef CONFIG_B43_DEBUG
+ ring->last_injected_overflow = jiffies;
+#endif
+
+ if (for_tx) {
+ ring->txhdr_cache = kcalloc(ring->nr_slots,
b43_txhdr_size(dev),
GFP_KERNEL);
if (!ring->txhdr_cache)
goto err_kfree_meta;
/* test for ability to dma to txhdr_cache */
@@ -825,13 +850,13 @@ struct b43_dmaring *b43_setup_dmaring(st
DMA_TO_DEVICE);
if (b43_dma_mapping_error(ring, dma_test,
b43_txhdr_size(dev), 1)) {
/* ugh realloc */
kfree(ring->txhdr_cache);
- ring->txhdr_cache = kcalloc(nr_slots,
+ ring->txhdr_cache = kcalloc(ring->nr_slots,
b43_txhdr_size(dev),
GFP_KERNEL | GFP_DMA);
if (!ring->txhdr_cache)
goto err_kfree_meta;
dma_test = dma_map_single(dev->dev->dma_dev,
@@ -850,38 +875,12 @@ struct b43_dmaring *b43_setup_dmaring(st
dma_unmap_single(dev->dev->dma_dev,
dma_test, b43_txhdr_size(dev),
DMA_TO_DEVICE);
}
- ring->dev = dev;
- ring->nr_slots = nr_slots;
- ring->mmio_base = b43_dmacontroller_base(type, controller_index);
- ring->index = controller_index;
- if (type == B43_DMA_64BIT)
- ring->ops = &dma64_ops;
- else
- ring->ops = &dma32_ops;
- if (for_tx) {
- ring->tx = 1;
- ring->current_slot = -1;
- } else {
- if (ring->index == 0) {
- ring->rx_buffersize = B43_DMA0_RX_BUFFERSIZE;
- ring->frameoffset = B43_DMA0_RX_FRAMEOFFSET;
- } else if (ring->index == 3) {
- ring->rx_buffersize = B43_DMA3_RX_BUFFERSIZE;
- ring->frameoffset = B43_DMA3_RX_FRAMEOFFSET;
- } else
- B43_WARN_ON(1);
- }
- spin_lock_init(&ring->lock);
-#ifdef CONFIG_B43_DEBUG
- ring->last_injected_overflow = jiffies;
-#endif
-
err = alloc_ringmemory(ring);
if (err)
goto err_kfree_txhdr_cache;
err = dmacontroller_setup(ring);
if (err)
goto err_free_ringmemory;
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [PATCH] b43: Fix possible NULL pointer dereference in DMA code
2008-06-12 9:58 [PATCH] b43: Fix possible NULL pointer dereference in DMA code Michael Buesch
@ 2008-06-12 11:03 ` Vegard Nossum
0 siblings, 0 replies; 2+ messages in thread
From: Vegard Nossum @ 2008-06-12 11:03 UTC (permalink / raw)
To: Michael Buesch
Cc: John Linville, bcm43xx-dev, linux-wireless, FUJITA Tomonori,
miles.lane, akpm
On Thu, Jun 12, 2008 at 11:58 AM, Michael Buesch <mb@bu3sch.de> wrote:
> This fixes a possible NULL pointer dereference in an error path of the
> DMA allocation error checking code. This is also necessary for a future
> DMA API change that is on its way into the mainline kernel that adds
> an additional dev parameter to dma_mapping_error().
>
> This patch moves the whole struct b43_dmaring struct initialization
> right before any DMA allocation operation.
>
Reported-by: Miles Lane <miles.lane@gmail.com>
> Signed-off-by: Michael Buesch <mb@bu3sch.de>
Thanks :-)
Vegard
--
"The animistic metaphor of the bug that maliciously sneaked in while
the programmer was not looking is intellectually dishonest as it
disguises that the error is the programmer's own creation."
-- E. W. Dijkstra, EWD1036
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-06-12 11:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-12 9:58 [PATCH] b43: Fix possible NULL pointer dereference in DMA code Michael Buesch
2008-06-12 11:03 ` Vegard Nossum
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox