1. Patchew
  2. linux
  3. View series

[RESEND][PATCH] firmware: stratix10-svc: fix a missing check on list iterator

Xiaomeng Tong posted 1 patch 4 years ago 
drivers/firmware/stratix10-svc.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
[RESEND][PATCH] firmware: stratix10-svc: fix a missing check on list iterator
Posted by Xiaomeng Tong 4 years ago 
The bug is here:
	pmem->vaddr = NULL;

The list iterator 'pmem' will point to a bogus position containing
HEAD if the list is empty or no element is found. This case must
be checked before any use of the iterator, otherwise it will
lead to a invalid memory access.

To fix this bug, just gen_pool_free/set NULL/list_del() and return
when found, otherwise list_del HEAD and return;

Cc: stable@vger.kernel.org
Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
---
 drivers/firmware/stratix10-svc.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
index 29c0a616b317..30093aa82b7f 100644
--- a/drivers/firmware/stratix10-svc.c
+++ b/drivers/firmware/stratix10-svc.c
@@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
 void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
 {
 	struct stratix10_svc_data_mem *pmem;
-	size_t size = 0;
 
 	list_for_each_entry(pmem, &svc_data_mem, node)
 		if (pmem->vaddr == kaddr) {
-			size = pmem->size;
-			break;
+			gen_pool_free(chan->ctrl->genpool,
+				       (unsigned long)kaddr, pmem->size);
+			pmem->vaddr = NULL;
+			list_del(&pmem->node);
+			return;
 		}
 
-	gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
-	pmem->vaddr = NULL;
-	list_del(&pmem->node);
+	list_del(&svc_data_mem);
 }
 EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
 
-- 
2.17.1
Re: [RESEND][PATCH] firmware: stratix10-svc: fix a missing check on list iterator
Posted by Dinh Nguyen 4 years ago 

On 4/13/22 22:56, Xiaomeng Tong wrote:
> The bug is here:
> 	pmem->vaddr = NULL;
> 
> The list iterator 'pmem' will point to a bogus position containing
> HEAD if the list is empty or no element is found. This case must
> be checked before any use of the iterator, otherwise it will
> lead to a invalid memory access.
> 
> To fix this bug, just gen_pool_free/set NULL/list_del() and return
> when found, otherwise list_del HEAD and return;
> 
> Cc: stable@vger.kernel.org
> Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver")
> Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com>
> ---
>   drivers/firmware/stratix10-svc.c | 12 ++++++------
>   1 file changed, 6 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c
> index 29c0a616b317..30093aa82b7f 100644
> --- a/drivers/firmware/stratix10-svc.c
> +++ b/drivers/firmware/stratix10-svc.c
> @@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory);
>   void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr)
>   {
>   	struct stratix10_svc_data_mem *pmem;
> -	size_t size = 0;
>   
>   	list_for_each_entry(pmem, &svc_data_mem, node)
>   		if (pmem->vaddr == kaddr) {
> -			size = pmem->size;
> -			break;
> +			gen_pool_free(chan->ctrl->genpool,
> +				       (unsigned long)kaddr, pmem->size);
> +			pmem->vaddr = NULL;
> +			list_del(&pmem->node);
> +			return;
>   		}
>   
> -	gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
> -	pmem->vaddr = NULL;
> -	list_del(&pmem->node);
> +	list_del(&svc_data_mem);
>   }
>   EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
>   

Acked-by: Dinh Nguyen <dinguyen@kernel.org>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.