github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 14:42:37 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
0e2af9b06c
linux/drivers/dma
History
Sven Van Asbroeck 09593c25b9 dmaengine: imx-sdma: fix use-after-free on probe error path 
[ Upstream commit 2b8066c3de ]

If probe() fails anywhere beyond the point where
sdma_get_firmware() is called, then a kernel oops may occur.

Problematic sequence of events:
1. probe() calls sdma_get_firmware(), which schedules the
   firmware callback to run when firmware becomes available,
   using the sdma instance structure as the context
2. probe() encounters an error, which deallocates the
   sdma instance structure
3. firmware becomes available, firmware callback is
   called with deallocated sdma instance structure
4. use after free - kernel oops !

Solution: only attempt to load firmware when we're certain
that probe() will succeed. This guarantees that the firmware
callback's context will remain valid.

Note that the remove() path is unaffected by this issue: the
firmware loader will increment the driver module's use count,
ensuring that the module cannot be unloaded while the
firmware callback is pending or running.

Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
Reviewed-by: Robin Gong <yibin.gong@nxp.com>
[vkoul: fixed braces for if condition]
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2019-07-26 09:13:56 +02:00
..
bestcomm treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
dw dmaengine: dw: Fix FIFO size for Intel Merrifield 2018-12-13 09:16:19 +01:00
dw-axi-dmac dmaengine: dw-axi-dmac: fix null dereference when pointer first is null 2019-06-25 11:35:55 +08:00
hsu dmaengine: hsu: Support dmaengine_terminate_sync() 2018-07-10 21:10:44 +05:30
ioat driver/dma/ioat: Call del_timer_sync() without holding prep_lock 2018-11-13 11:08:36 -08:00
ipu treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
mediatek dmaengine: mediatek: Add MediaTek High-Speed DMA controller for MT7622 and MT7623 SoC 2018-03-27 15:18:15 +05:30
ppc4xx dmaengine: ppc4xx: fix off-by-one build failure 2018-11-13 11:08:41 -08:00
qcom dmaengine: qcom: bam_dma: Fix completed descriptors count 2019-07-10 09:53:48 +02:00
sh dmaengine: sh: rcar-dmac: Fix glitch in dmaengine_tx_status 2019-05-02 09:58:55 +02:00
ti dmaengine: cppi41: delete channel from pending list when stop channel 2018-12-13 09:16:20 +01:00
xilinx dmaengine: xilinx_dma: Remove __aligned attribute on zynqmp_dma_desc_ll 2019-02-12 19:47:02 +01:00
acpi-dma.c
altera-msgdma.c dmaengine: altera: Use IRQ-safe spinlock calls in the error paths as well 2017-10-20 11:51:10 +05:30
amba-pl08x.c dmaengine: amba-pl08x: Use vchan_terminate_vdesc() instead of desc_free 2017-12-04 22:33:51 +05:30
at_hdmac_regs.h dmaengine: at_hdmac: Remove unnecessary 0x prefixes before %pad 2017-11-08 10:47:04 +05:30
at_hdmac.c dmaengine: at_hdmac: fix module unloading 2018-12-05 19:32:12 +01:00
at_xdmac.c dmaengine: at_xdmac: remove BUG_ON macro in tasklet 2019-05-31 06:46:17 -07:00
bcm-sba-raid.c treewide: Use struct_size() for devm_kmalloc() and friends 2018-06-06 11:15:43 -07:00
bcm2835-dma.c dmaengine: bcm2835: Fix abort of transactions 2019-02-12 19:47:24 +01:00
coh901318_lli.c dmaengine: coh901318: use NULL for pointer initialization 2016-09-26 22:28:24 +05:30
coh901318.c dmaengine: coh901318: Remove unnecessary 0x prefixes before %pad 2017-11-08 10:46:46 +05:30
coh901318.h
dma-axi-dmac.c dmaengine: axi-dmac: Request IRQ with IRQF_SHARED 2018-05-02 10:06:42 +05:30
dma-jz4740.c dmaengine: jz4740: disable/unprepare clk if probe fails 2017-12-11 09:00:06 +05:30
dma-jz4780.c dmaengine: dma-jz4780: Return error if not probed from DT 2018-11-13 11:08:38 -08:00
dmaengine.c Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
dmaengine.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dmatest.c dmaengine: dmatest: Abort test in case of mapping error 2019-03-13 14:02:36 -07:00
ep93xx_dma.c headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
fsl_raid.c dmaengine: fsl_raid: make of_device_ids const. 2017-06-29 09:25:28 +05:30
fsl_raid.h
fsl-edma.c dmaengine: fsl-edma: disable clks on all error paths 2017-12-15 09:53:04 +05:30
fsldma.c dmaengine: fsldma: simplify getting .drvdata 2018-04-22 21:37:17 +05:30
fsldma.h dmaengine: fsldma: set BWC, DAHTS and SAHTS values correctly 2017-06-22 18:31:35 +05:30
idma64.c dmaengine: idma64: Use actual device for DMA transfers 2019-06-15 11:54:10 +02:00
idma64.h dmaengine: idma64: Use actual device for DMA transfers 2019-06-15 11:54:10 +02:00
img-mdc-dma.c dmaengine: img-mdc-dma: Use vchan_terminate_vdesc() instead of desc_free 2017-12-04 22:33:51 +05:30
imx-dma.c dmaengine: imx-dma: fix warning comparison of distinct pointer types 2019-04-05 22:33:15 +02:00
imx-sdma.c dmaengine: imx-sdma: fix use-after-free on probe error path 2019-07-26 09:13:56 +02:00
iop-adma.c dmaengine: iop-adma: convert callback to helper function 2016-08-08 08:11:39 +05:30
k3dma.c dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() 2018-06-28 11:57:21 +05:30
Kconfig Merge branch 'topic/imx' into for-linus 2018-08-17 17:59:27 +05:30
lpc18xx-dmamux.c
Makefile dmaengine: Add Actions Semi Owl family S900 DMA driver 2018-08-09 08:16:00 +05:30
mic_x100_dma.c dmaengine: mic_x100_dma: use devm_kzalloc to fix an issue 2018-08-27 11:16:04 +05:30
mic_x100_dma.h
mmp_pdma.c dmaengine: mmp_pdma: convert callback to helper function 2016-08-08 08:11:39 +05:30
mmp_tdma.c Merge branch 'topic/err_reporting' into for-linus 2016-10-03 09:17:33 +05:30
moxart-dma.c treewide: Use struct_size() for kmalloc()-family 2018-06-06 11:15:43 -07:00
mpc512x_dma.c Merge branch 'topic/err_reporting' into for-linus 2016-10-03 09:17:33 +05:30
mv_xor_v2.c dmaengine: mv_xor_v2: use {lower,upper}_32_bits to configure HW descriptor address 2018-07-25 17:53:22 +05:30
mv_xor.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
mv_xor.h dmaengine: mv_xor: Add support for scatter-gather DMA mode 2016-11-25 11:16:36 +05:30
mxs-dma.c dmaengine: mxs-dma: Switch to SPDX identifier 2018-05-23 11:10:31 +05:30
nbpfaxi.c dmaengine: nbpfaxi: Mark expected switch fall-through 2018-07-09 17:01:35 +05:30
of-dma.c dmaengine: Convert to using %pOF instead of full_name 2017-07-19 09:30:44 +05:30
owl-dma.c dmaengine: Add Actions Semi Owl family S900 DMA driver 2018-08-09 08:16:00 +05:30
pch_dma.c dmaengine: pch_dma: Replace PCI pool old API 2017-10-31 17:01:06 +05:30
pl330.c dmaengine: pl330: _stop: clear interrupt status 2019-05-31 06:46:14 -07:00
pxa_dma.c dmaengine: pxa: add a default requestor policy 2018-06-18 21:29:23 +02:00
s3c24xx-dma.c headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
sa11x0-dma.c treewide: Use struct_size() for kmalloc()-family 2018-06-06 11:15:43 -07:00
sirf-dma.c dmaengine: sirf-dma: remove unused ‘sdesc’ 2016-12-12 22:25:22 +05:30
sprd-dma.c dmaengine: sprd: Fix block length overflow 2019-06-25 11:35:55 +08:00
st_fdma.c dmaengine: st_fdma: Fix the error return code in st_fdma_probe() 2016-10-19 22:29:33 +05:30
st_fdma.h dmaengine: st_fdma: Add STMicroelectronics FDMA driver header file 2016-10-18 20:12:06 +05:30
ste_dma40_ll.c dmaengine: ste_dma40_ll: make d40_width_to_bits static 2016-06-08 08:59:55 +05:30
ste_dma40_ll.h
ste_dma40.c dmaengine: ste_dma40: Remove VLA usage 2018-07-02 17:46:24 +05:30
stm32-dma.c dmaengine: stm32: replace "%p" with "%pK" 2018-07-09 23:01:57 +05:30
stm32-dmamux.c dmaengine: stm32-dmamux: fix a potential buffer overflow 2018-03-22 10:51:35 +05:30
stm32-mdma.c dmaengine: stm32: replace "%p" with "%pK" 2018-07-09 23:01:57 +05:30
sun4i-dma.c dmaengine: sun4i: fix invalid argument 2017-04-24 09:50:05 +05:30
sun6i-dma.c dmaengine: sun6i: Retrieve channel count/max request from devicetree 2017-10-23 11:44:03 +05:30
tegra20-apb-dma.c dmaengine: tegra: avoid overflow of byte tracking 2019-04-05 22:33:16 +02:00
tegra210-adma.c dmaengine: tegra210-adma: use devm_clk_*() helpers 2019-05-31 06:46:31 -07:00
timb_dma.c dmaengine: timb_dma: fix spelling mistake: "Couldnt" -> "Couldn't" 2017-12-11 08:57:38 +05:30
TODO
txx9dmac.c dmaengine: txx9dmac: simplify getting .drvdata 2018-04-22 21:38:06 +05:30
txx9dmac.h
virt-dma.c dmaengine: virt-dma: Add helper to free/reuse a descriptor 2017-12-04 22:33:51 +05:30
virt-dma.h dmaengine: virt-dma: Support for race free transfer termination 2017-12-04 22:33:51 +05:30
xgene-dma.c dmaengine: xgene-dma: remove unused xgene_dma_invalidate_buffer 2017-08-22 22:13:44 +05:30
zx_dma.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00