From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Guillaume Ranquet <granquet@baylibre.com>,
Vinod Koul <vkoul@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 030/101] dmaengine: mediatek: free the proper desc in desc_free handler
Date: Mon, 28 Jun 2021 10:24:56 -0400 [thread overview]
Message-ID: <20210628142607.32218-31-sashal@kernel.org> (raw)
In-Reply-To: <20210628142607.32218-1-sashal@kernel.org>
From: Guillaume Ranquet <granquet@baylibre.com>
[ Upstream commit 0a2ff58f9f8f95526ecb0ccd7517fefceb96f661 ]
The desc_free handler assumed that the desc we want to free was always
the current one associated with the channel.
This is seldom the case and this is causing use after free crashes in
multiple places (tx/rx/terminate...).
BUG: KASAN: use-after-free in mtk_uart_apdma_rx_handler+0x120/0x304
Call trace:
dump_backtrace+0x0/0x1b0
show_stack+0x24/0x34
dump_stack+0xe0/0x150
print_address_description+0x8c/0x55c
__kasan_report+0x1b8/0x218
kasan_report+0x14/0x20
__asan_load4+0x98/0x9c
mtk_uart_apdma_rx_handler+0x120/0x304
mtk_uart_apdma_irq_handler+0x50/0x80
__handle_irq_event_percpu+0xe0/0x210
handle_irq_event+0x8c/0x184
handle_fasteoi_irq+0x1d8/0x3ac
__handle_domain_irq+0xb0/0x110
gic_handle_irq+0x50/0xb8
el0_irq_naked+0x60/0x6c
Allocated by task 3541:
__kasan_kmalloc+0xf0/0x1b0
kasan_kmalloc+0x10/0x1c
kmem_cache_alloc_trace+0x90/0x2dc
mtk_uart_apdma_prep_slave_sg+0x6c/0x1a0
mtk8250_dma_rx_complete+0x220/0x2e4
vchan_complete+0x290/0x340
tasklet_action_common+0x220/0x298
tasklet_action+0x28/0x34
__do_softirq+0x158/0x35c
Freed by task 3541:
__kasan_slab_free+0x154/0x224
kasan_slab_free+0x14/0x24
slab_free_freelist_hook+0xf8/0x15c
kfree+0xb4/0x278
mtk_uart_apdma_desc_free+0x34/0x44
vchan_complete+0x1bc/0x340
tasklet_action_common+0x220/0x298
tasklet_action+0x28/0x34
__do_softirq+0x158/0x35c
The buggy address belongs to the object at ffff000063606800
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 176 bytes inside of
256-byte region [ffff000063606800, ffff000063606900)
The buggy address belongs to the page:
page:fffffe00016d8180 refcount:1 mapcount:0 mapping:ffff00000302f600 index:0x0 compound_mapcount: 0
flags: 0xffff00000010200(slab|head)
raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00000302f600
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Signed-off-by: Guillaume Ranquet <granquet@baylibre.com>
Link: https://lore.kernel.org/r/20210513192642.29446-2-granquet@baylibre.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mediatek/mtk-uart-apdma.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/dma/mediatek/mtk-uart-apdma.c b/drivers/dma/mediatek/mtk-uart-apdma.c
index 27c07350971d..e38b67fc0c0c 100644
--- a/drivers/dma/mediatek/mtk-uart-apdma.c
+++ b/drivers/dma/mediatek/mtk-uart-apdma.c
@@ -131,10 +131,7 @@ static unsigned int mtk_uart_apdma_read(struct mtk_chan *c, unsigned int reg)
static void mtk_uart_apdma_desc_free(struct virt_dma_desc *vd)
{
- struct dma_chan *chan = vd->tx.chan;
- struct mtk_chan *c = to_mtk_uart_apdma_chan(chan);
-
- kfree(c->desc);
+ kfree(container_of(vd, struct mtk_uart_apdma_desc, vd));
}
static void mtk_uart_apdma_start_tx(struct mtk_chan *c)
--
2.30.2
next prev parent reply other threads:[~2021-06-28 14:29 UTC|newest]
Thread overview: 116+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-28 14:24 [PATCH 5.10 000/101] 5.10.47-rc1 review Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 001/101] module: limit enabling module.sig_enforce Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 002/101] Revert "drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue." Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 003/101] Revert "drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full doorbell." Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 004/101] drm: add a locked version of drm_is_current_master Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 005/101] drm/nouveau: wait for moving fence after pinning v2 Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 006/101] drm/radeon: wait for moving fence after pinning Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 007/101] drm/amdgpu: " Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 008/101] ARM: 9081/1: fix gcc-10 thumb2-kernel regression Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 009/101] mmc: meson-gx: use memcpy_to/fromio for dram-access-quirk Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 010/101] MIPS: generic: Update node names to avoid unit addresses Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 011/101] arm64: Ignore any DMA offsets in the max_zone_phys() calculation Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 012/101] arm64: Force NO_BLOCK_MAPPINGS if crashkernel reservation is required Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 013/101] spi: spi-nxp-fspi: move the register operation after the clock enable Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 014/101] Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 015/101] drm/vc4: hdmi: Move the HSM clock enable to runtime_pm Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 016/101] drm/vc4: hdmi: Make sure the controller is powered in detect Sasha Levin
2021-07-01 10:15 ` Pavel Machek
2021-06-28 14:24 ` [PATCH 5.10 017/101] x86/entry: Fix noinstr fail in __do_fast_syscall_32() Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 018/101] x86/xen: Fix noinstr fail in exc_xen_unknown_trap() Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 019/101] locking/lockdep: Improve noinstr vs errors Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 020/101] perf/x86/lbr: Remove cpuc->lbr_xsave allocation from atomic context Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 021/101] perf/x86/intel/lbr: Zero the xstate buffer on allocation Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 022/101] dmaengine: zynqmp_dma: Fix PM reference leak in zynqmp_dma_alloc_chan_resourc() Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 023/101] dmaengine: stm32-mdma: fix PM reference leak in stm32_mdma_alloc_chan_resourc() Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 024/101] dmaengine: xilinx: dpdma: Add missing dependencies to Kconfig Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 025/101] dmaengine: xilinx: dpdma: Limit descriptor IDs to 16 bits Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 026/101] mac80211: remove warning in ieee80211_get_sband() Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 027/101] mac80211_hwsim: drop pending frames on stop Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 028/101] cfg80211: call cfg80211_leave_ocb when switching away from OCB Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 029/101] dmaengine: rcar-dmac: Fix PM reference leak in rcar_dmac_probe() Sasha Levin
2021-06-28 14:24 ` Sasha Levin [this message]
2021-06-28 14:24 ` [PATCH 5.10 031/101] dmaengine: mediatek: do not issue a new desc if one is still current Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 032/101] dmaengine: mediatek: use GFP_NOWAIT instead of GFP_ATOMIC in prep_dma Sasha Levin
2021-06-28 14:24 ` [PATCH 5.10 033/101] net: ipv4: Remove unneed BUG() function Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 034/101] mac80211: drop multicast fragments Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 035/101] net: ethtool: clear heap allocations for ethtool function Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 036/101] inet: annotate data race in inet_send_prepare() and inet_dgram_connect() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 037/101] ping: Check return value of function 'ping_queue_rcv_skb' Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 038/101] net: annotate data race in sock_error() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 039/101] inet: annotate date races around sk->sk_txhash Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 040/101] net/packet: annotate data race in packet_sendmsg() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 041/101] net: phy: dp83867: perform soft reset and retain established link Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 042/101] riscv32: Use medany C model for modules Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 043/101] net: caif: fix memory leak in ldisc_open Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 044/101] net/packet: annotate accesses to po->bind Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 045/101] net/packet: annotate accesses to po->ifindex Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 046/101] r8152: Avoid memcpy() over-reading of ETH_SS_STATS Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 047/101] sh_eth: " Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 048/101] r8169: " Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 049/101] KVM: selftests: Fix kvm_check_cap() assertion Sasha Levin
2021-07-03 15:21 ` Pavel Machek
2021-07-05 7:10 ` Fuad Tabba
2021-07-05 12:00 ` Paolo Bonzini
2021-06-28 14:25 ` [PATCH 5.10 050/101] net: qed: Fix memcpy() overflow of qed_dcbx_params() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 051/101] mac80211: reset profile_periodicity/ema_ap Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 052/101] mac80211: handle various extensible elements correctly Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 053/101] recordmcount: Correct st_shndx handling Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 054/101] PCI: Add AMD RS690 quirk to enable 64-bit DMA Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 055/101] net: ll_temac: Add memory-barriers for TX BD access Sasha Levin
2021-07-03 15:22 ` Pavel Machek
2021-07-05 7:42 ` Esben Haabendal
2021-06-28 14:25 ` [PATCH 5.10 056/101] net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 057/101] perf/x86: Track pmu in per-CPU cpu_hw_events Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 058/101] pinctrl: stm32: fix the reported number of GPIO lines per bank Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 059/101] i2c: i801: Ensure that SMBHSTSTS_INUSE_STS is cleared when leaving i801_access Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 060/101] gpiolib: cdev: zero padding during conversion to gpioline_info_changed Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 061/101] scsi: sd: Call sd_revalidate_disk() for ioctl(BLKRRPART) Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 062/101] nilfs2: fix memory leak in nilfs_sysfs_delete_device_group Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 063/101] s390/stack: fix possible register corruption with stack switch helper Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 064/101] KVM: do not allow mapping valid but non-reference-counted pages Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 065/101] i2c: robotfuzz-osif: fix control-request directions Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 066/101] ceph: must hold snap_rwsem when filling inode for async create Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 067/101] kthread_worker: split code for canceling the delayed work timer Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 068/101] kthread: prevent deadlock when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 069/101] x86/fpu: Preserve supervisor states in sanitize_restored_user_xstate() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 070/101] x86/fpu: Make init_fpstate correct with optimized XSAVE Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 071/101] mm: add VM_WARN_ON_ONCE_PAGE() macro Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 072/101] mm/rmap: remove unneeded semicolon in page_not_mapped() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 073/101] mm/rmap: use page_not_mapped in try_to_unmap() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 074/101] mm, thp: use head page in __migration_entry_wait() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 075/101] mm/thp: fix __split_huge_pmd_locked() on shmem migration entry Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 076/101] mm/thp: make is_huge_zero_pmd() safe and quicker Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 077/101] mm/thp: try_to_unmap() use TTU_SYNC for safe splitting Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 078/101] mm/thp: fix vma_address() if virtual address below file offset Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 079/101] mm/thp: fix page_address_in_vma() on file THP tails Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 080/101] mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 081/101] mm: thp: replace DEBUG_VM BUG with VM_WARN when unmap fails for split Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 082/101] mm: page_vma_mapped_walk(): use page for pvmw->page Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 083/101] mm: page_vma_mapped_walk(): settle PageHuge on entry Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 084/101] mm: page_vma_mapped_walk(): use pmde for *pvmw->pmd Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 085/101] mm: page_vma_mapped_walk(): prettify PVMW_MIGRATION block Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 086/101] mm: page_vma_mapped_walk(): crossing page table boundary Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 087/101] mm: page_vma_mapped_walk(): add a level of indentation Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 088/101] mm: page_vma_mapped_walk(): use goto instead of while (1) Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 089/101] mm: page_vma_mapped_walk(): get vma_address_end() earlier Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 090/101] mm/thp: fix page_vma_mapped_walk() if THP mapped by ptes Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 091/101] mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk() Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 092/101] mm, futex: fix shared futex pgoff on shmem huge page Sasha Levin
2021-06-28 14:25 ` [PATCH 5.10 093/101] KVM: SVM: Call SEV Guest Decommission if ASID binding fails Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 094/101] swiotlb: manipulate orig_addr when tlb_addr has offset Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 095/101] netfs: fix test for whether we can skip read when writing beyond EOF Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 096/101] Revert "drm: add a locked version of drm_is_current_master" Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 097/101] certs: Add EFI_CERT_X509_GUID support for dbx entries Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 098/101] certs: Move load_system_certificate_list to a common function Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 099/101] certs: Add ability to preload revocation certs Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 100/101] integrity: Load mokx variables into the blacklist keyring Sasha Levin
2021-06-28 14:26 ` [PATCH 5.10 101/101] Linux 5.10.47-rc1 Sasha Levin
2021-06-28 20:49 ` [PATCH 5.10 000/101] 5.10.47-rc1 review Fox Chen
2021-06-29 7:29 ` Naresh Kamboju
2021-06-29 12:08 ` Sudip Mukherjee
2021-06-30 13:04 ` Sasha Levin
2021-06-29 18:20 ` Guenter Roeck
2021-06-30 1:01 ` Samuel Zou
2021-06-30 13:05 ` Sasha Levin
2021-07-01 11:55 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210628142607.32218-31-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=granquet@baylibre.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=vkoul@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox