From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757819AbcHWJZy (ORCPT <rfc822;w@1wt.eu>);
        Tue, 23 Aug 2016 05:25:54 -0400
Received: from mail5.windriver.com ([192.103.53.11]:40342 "EHLO mail5.wrs.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1757491AbcHWJZI (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Aug 2016 05:25:08 -0400
Message-ID: <57BC1634.5020703@windriver.com>
Date: Tue, 23 Aug 2016 17:24:04 +0800
From: Xulin Sun <xulin.sun@windriver.com>
Reply-To: <1463486446-13890-1-git-send-email-colin.king@canonical.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: <vinod.koul@intel.com>, <colin.king@canonical.com>,
        <dmaengine@vger.kernel.org>
CC: Xulin Sun <xulin.sun@windriver.com>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] dmaengine: do not allow access outside of unmap_pool
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

 >On Tue, May 17, 2016 at 01:00:46PM +0100, Colin King wrote:
 >> From: Colin Ian King <colin.king@canonical.com>
 >>
 >> When CONFIG_DMA_ENGINE_RAID is defined, unmap_pool[] is just 1
 >> element in size, however, allows orders of 2..8 to access
 >> outside unmap_pool and returns an invalid address. Ensure
 >> we fall into the default path and report a BUG() when
 >> CONFIG_DMA_ENGINE_RAID is defined and order is out of range.
 >>
 >> Signed-off-by: Colin Ian King <colin.king@canonical.com>
 >> ---
 >>  drivers/dma/dmaengine.c | 2 ++
 >>  1 file changed, 2 insertions(+)
 >>
 >> diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c
 >> index 8c9f45f..6027e66 100644
 >> --- a/drivers/dma/dmaengine.c
 >> +++ b/drivers/dma/dmaengine.c
 >> @@ -1100,12 +1100,14 @@ static struct dmaengine_unmap_pool 
*__get_unmap_pool(int nr)
 >>      switch (order) {
 >>      case 0 ... 1:
 >>          return &unmap_pool[0];
 >> +    #if IS_ENABLED(CONFIG_DMA_ENGINE_RAID)

 >Okay if CONFIG_DMA_ENGINE_RAID is enabled (m or y) then IS_ENABLED
 >return 1, so we will go inside and not fall into default. And I though
 >by changelog that you want it to go to default in CONFIG_DMA_ENGINE_RAID
 >is defined!

 >What did I miss...

Here it should be when CONFIG_DMA_ENGINE_RAID is NOT defined, 
unmap_pool[] is just 1
element in size,  and the function "__get_unmap_pool" will access 
outside of the array unmap_pool[]
in case orders of 2..8 and returns an invalid address, and I encountered 
the issue.

I think the patch is needed to avoid visiting outside of the array 
unmap_pool[] if CONFIG_DMA_ENGINE_RAID is NOT defined.

Thanks
Xulin
 >>      case 2 ... 4:
 >>          return &unmap_pool[1];
 >>      case 5 ... 7:
 >>          return &unmap_pool[2];
 >>      case 8:
 >>          return &unmap_pool[3];
 >> +    #endif
 >>      default:
 >>          BUG();
 >>          return NULL;
 >> --
 >> 2.8.1
 >>