[BUG][PATCH]dma-coherent.c: error path bug

From: Marin Mitov
Date: Sun Jun 06 2010 - 06:55:40 EST

Next message: Thomas Gleixner: "Re: suspend blockers & Android integration"
Previous message: Avi Kivity: "Re: [PATCH v2 1/7] KVM: MMU: skip invalid sp when unprotect page"
Next in thread: FUJITA Tomonori: "Re: [BUG][PATCH]dma-coherent.c: error path bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi all,

The error path in dma_declare_coherent_memory() leaves
the pointer dev->dma_mem non completely initialized.

If allocation of dev->dma_mem succeeds,
but allocation of dev->dma_mem->bitmap fails
dev->dma_mem is freed, but left non NULL
and non completely initialized.

Either zero it after being freed (one liner patch), or assign to
dev->dma_mem only completely initialized structure (patch included).

Comments welcome.

Marin Mitov

Signed-off-by: Marin Mitov <mitov@xxxxxxxxxxx>

=======================================================================
--- a/drivers/base/dma-coherent.c 2010-06-06 12:47:17.000000000 +0300
+++ b/drivers/base/dma-coherent.c 2010-06-06 12:53:36.000000000 +0300
@@ -17,6 +17,7 @@ struct dma_coherent_mem {
int dma_declare_coherent_memory(struct device *dev, dma_addr_t bus_addr,
dma_addr_t device_addr, size_t size, int flags)
{
+ struct dma_coherent_mem *mem;
void __iomem *mem_base = NULL;
int pages = size >> PAGE_SHIFT;
int bitmap_size = BITS_TO_LONGS(pages) * sizeof(long);
@@ -34,17 +35,18 @@ int dma_declare_coherent_memory(struct d
if (!mem_base)
goto out;

- dev->dma_mem = kzalloc(sizeof(struct dma_coherent_mem), GFP_KERNEL);
- if (!dev->dma_mem)
+ mem = kzalloc(sizeof(*mem), GFP_KERNEL);
+ if (!mem)
goto out;
- dev->dma_mem->bitmap = kzalloc(bitmap_size, GFP_KERNEL);
- if (!dev->dma_mem->bitmap)
+ mem->bitmap = kzalloc(bitmap_size, GFP_KERNEL);
+ if (!mem->bitmap)
goto free1_out;

- dev->dma_mem->virt_base = mem_base;
- dev->dma_mem->device_base = device_addr;
- dev->dma_mem->size = pages;
- dev->dma_mem->flags = flags;
+ mem->virt_base = mem_base;
+ mem->device_base = device_addr;
+ mem->size = pages;
+ mem->flags = flags;
+ dev->dma_mem = mem;

if (flags & DMA_MEMORY_MAP)
return DMA_MEMORY_MAP;
@@ -52,7 +54,7 @@ int dma_declare_coherent_memory(struct d
return DMA_MEMORY_IO;

free1_out:
- kfree(dev->dma_mem);
+ kfree(mem);
out:
if (mem_base)
iounmap(mem_base);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thomas Gleixner: "Re: suspend blockers & Android integration"
Previous message: Avi Kivity: "Re: [PATCH v2 1/7] KVM: MMU: skip invalid sp when unprotect page"
Next in thread: FUJITA Tomonori: "Re: [BUG][PATCH]dma-coherent.c: error path bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]