On 12/04/18 17:06, Ioan Nicu wrote:
> Some of the mport_dma_req structure members were initialized late
> inside the do_dma_request() function, just before submitting the
> request to the dma engine. But we have some error branches before
> that. In case of such an error, the code would return on the error
> path and trigger the calling of dma_req_free() with a req structure
> which is not completely initialized. This causes a NULL pointer
> dereference in dma_req_free().
> 
> This patch fixes these error branches by making sure that all
> necessary mport_dma_req structure members are initialized in
> rio_dma_transfer() immediately after the request structure gets
> allocated.
> 
> Signed-off-by: Ioan Nicu <ioan.nicu....@nokia.com>

Tested-by: Alexander Sverdlin <alexander.sverd...@nokia.com>

> ---
>  drivers/rapidio/devices/rio_mport_cdev.c | 19 +++++++++----------
>  1 file changed, 9 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c 
> b/drivers/rapidio/devices/rio_mport_cdev.c
> index 9d27016c899e..0434ab7b6497 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -740,10 +740,7 @@ static int do_dma_request(struct mport_dma_req *req,
>       tx->callback = dma_xfer_callback;
>       tx->callback_param = req;
>  
> -     req->dmach = chan;
> -     req->sync = sync;
>       req->status = DMA_IN_PROGRESS;
> -     init_completion(&req->req_comp);
>       kref_get(&req->refcount);
>  
>       cookie = dmaengine_submit(tx);
> @@ -831,13 +828,20 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
>       if (!req)
>               return -ENOMEM;
>  
> -     kref_init(&req->refcount);
> -
>       ret = get_dma_channel(priv);
>       if (ret) {
>               kfree(req);
>               return ret;
>       }
> +     chan = priv->dmach;
> +
> +     kref_init(&req->refcount);
> +     init_completion(&req->req_comp);
> +     req->dir = dir;
> +     req->filp = filp;
> +     req->priv = priv;
> +     req->dmach = chan;
> +     req->sync = sync;
>  
>       /*
>        * If parameter loc_addr != NULL, we are transferring data from/to
> @@ -925,11 +929,6 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
>                               xfer->offset, xfer->length);
>       }
>  
> -     req->dir = dir;
> -     req->filp = filp;
> -     req->priv = priv;
> -     chan = priv->dmach;
> -
>       nents = dma_map_sg(chan->device->dev,
>                          req->sgt.sgl, req->sgt.nents, dir);
>       if (nents == 0) {

-- 
Best regards,
Alexander Sverdlin.

Reply via email to