From: Xulin Sun <xulin.sun@windriver.com>
To: <vinod.koul@intel.com>, <colin.king@canonical.com>,
<dmaengine@vger.kernel.org>
Cc: Xulin Sun <xulin.sun@windriver.com>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] dmaengine: do not allow access outside of unmap_pool
Date: Tue, 23 Aug 2016 17:24:04 +0800 [thread overview]
Message-ID: <57BC1634.5020703@windriver.com> (raw)
>On Tue, May 17, 2016 at 01:00:46PM +0100, Colin King wrote:
>> From: Colin Ian King <colin.king@canonical.com>
>>
>> When CONFIG_DMA_ENGINE_RAID is defined, unmap_pool[] is just 1
>> element in size, however, allows orders of 2..8 to access
>> outside unmap_pool and returns an invalid address. Ensure
>> we fall into the default path and report a BUG() when
>> CONFIG_DMA_ENGINE_RAID is defined and order is out of range.
>>
>> Signed-off-by: Colin Ian King <colin.king@canonical.com>
>> ---
>> drivers/dma/dmaengine.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
>> index 8c9f45f..6027e66 100644
>> --- a/drivers/dma/dmaengine.c
>> +++ b/drivers/dma/dmaengine.c
>> @@ -1100,12 +1100,14 @@ static struct dmaengine_unmap_pool
*__get_unmap_pool(int nr)
>> switch (order) {
>> case 0 ... 1:
>> return &unmap_pool[0];
>> + #if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)
>Okay if CONFIG_DMA_ENGINE_RAID is enabled (m or y) then IS_ENABLED
>return 1, so we will go inside and not fall into default. And I though
>by changelog that you want it to go to default in CONFIG_DMA_ENGINE_RAID
>is defined!
>What did I miss...
Here it should be when CONFIG_DMA_ENGINE_RAID is NOT defined,
unmap_pool[] is just 1
element in size, and the function "__get_unmap_pool" will access
outside of the array unmap_pool[]
in case orders of 2..8 and returns an invalid address, and I encountered
the issue.
I think the patch is needed to avoid visiting outside of the array
unmap_pool[] if CONFIG_DMA_ENGINE_RAID is NOT defined.
Thanks
Xulin
>> case 2 ... 4:
>> return &unmap_pool[1];
>> case 5 ... 7:
>> return &unmap_pool[2];
>> case 8:
>> return &unmap_pool[3];
>> + #endif
>> default:
>> BUG();
>> return NULL;
>> --
>> 2.8.1
>>
next reply other threads:[~2016-08-23 9:25 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-23 9:24 Xulin Sun [this message]
2016-08-23 9:51 ` [PATCH] dmaengine: do not allow access outside of unmap_pool Colin Ian King
-- strict thread matches above, loose matches on Subject: below --
2016-05-17 12:00 Colin King
2016-06-07 6:05 ` Vinod Koul
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57BC1634.5020703@windriver.com \
--to=xulin.sun@windriver.com \
--cc=1463486446-13890-1-git-send-email-colin.king@canonical.com \
--cc=colin.king@canonical.com \
--cc=dmaengine@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vinod.koul@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox