[5/5] accel/qaic: Fix a leak in map_user_pages()

Message ID	d04e5fc2-7b2b-4fb1-a9d7-17b55ecb9986@moroto.mountain (mailing list archive)
State	New, archived
Headers	show Return-Path: <dri-devel-bounces@lists.freedesktop.org> Date: Wed, 21 Jun 2023 10:22:38 +0300 From: Dan Carpenter <dan.carpenter@linaro.org> To: Jeffrey Hugo <quic_jhugo@quicinc.com> Subject: [PATCH 5/5] accel/qaic: Fix a leak in map_user_pages() Message-ID: <d04e5fc2-7b2b-4fb1-a9d7-17b55ecb9986@moroto.mountain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <af83549b-ccb4-4a8d-b036-9359eba9d39f@moroto.mountain> Precedence: list Cc: linux-arm-msm@vger.kernel.org, Oded Gabbay <ogabbay@kernel.org>, kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org, Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>, Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>, Carl Vanderlip <quic_carlv@quicinc.com>, Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com> Errors-To: dri-devel-bounces@lists.freedesktop.org Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>
Series	accel/qaic: Improve bounds checking in encode/decode \| expand [0/5] accel/qaic: Improve bounds checking in encode/decode [1/5] accel/qaic: tighten bounds checking in encode_message() [2/5] accel/qaic: tighten bounds checking in decode_message() [3/5] accel/qaic: Add consistent integer overflow checks [4/5] accel/qaic: move and expand integer overflow checks for map_user_pages() [5/5] accel/qaic: Fix a leak in map_user_pages()

Message ID

d04e5fc2-7b2b-4fb1-a9d7-17b55ecb9986@moroto.mountain (mailing list archive)

State

New, archived

Headers

Date: Wed, 21 Jun 2023 10:22:38 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Jeffrey Hugo <quic_jhugo@quicinc.com>
Subject: [PATCH 5/5] accel/qaic: Fix a leak in map_user_pages()
Message-ID: <d04e5fc2-7b2b-4fb1-a9d7-17b55ecb9986@moroto.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <af83549b-ccb4-4a8d-b036-9359eba9d39f@moroto.mountain>
Precedence: list
Cc: linux-arm-msm@vger.kernel.org, Oded Gabbay <ogabbay@kernel.org>,
 kernel-janitors@vger.kernel.org, dri-devel@lists.freedesktop.org,
 Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>,
 Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>,
 Carl Vanderlip <quic_carlv@quicinc.com>,
 Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Errors-To: dri-devel-bounces@lists.freedesktop.org
Sender: "dri-devel" <dri-devel-bounces@lists.freedesktop.org>

Series

accel/qaic: Improve bounds checking in encode/decode | expand

Commit Message

Dan Carpenter June 21, 2023, 7:22 a.m. UTC

If get_user_pages_fast() allocates some pages but not as many as we
wanted, then the current code leaks those pages.  Call put_page() on
the pages before returning.

Fixes: 129776ac2e38 ("accel/qaic: Add control path")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 drivers/accel/qaic/qaic_control.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Comments

Jeffrey Hugo July 7, 2023, 7:24 p.m. UTC | #1

On 6/21/2023 1:22 AM, Dan Carpenter wrote:
> If get_user_pages_fast() allocates some pages but not as many as we
> wanted, then the current code leaks those pages.  Call put_page() on
> the pages before returning.
> 
> Fixes: 129776ac2e38 ("accel/qaic: Add control path")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>

Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>

Pranjal Ramajor Asha Kanojiya July 8, 2023, 4:44 a.m. UTC | #2

On 6/21/2023 12:52 PM, Dan Carpenter wrote:
> If get_user_pages_fast() allocates some pages but not as many as we
> wanted, then the current code leaks those pages.  Call put_page() on
> the pages before returning.
> 
> Fixes: 129776ac2e38 ("accel/qaic: Add control path")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
>   drivers/accel/qaic/qaic_control.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
> index 03932197f1ac..7c3f9009617f 100644
> --- a/drivers/accel/qaic/qaic_control.c
> +++ b/drivers/accel/qaic/qaic_control.c
> @@ -424,9 +424,12 @@ static int find_and_map_user_pages(struct qaic_device *qdev,
>   	}
>   
>   	ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list);
> -	if (ret < 0 || ret != nr_pages) {
> -		ret = -EFAULT;
> +	if (ret < 0)
>   		goto free_page_list;
> +	if (ret != nr_pages) {
> +		nr_pages = ret;
> +		ret = -EFAULT;
> +		goto put_pages;
>   	}
>   
>   	sgt = kmalloc(sizeof(*sgt), GFP_KERNEL);

Thank you for catching this :)

Reviewed-by: Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>

diff --git a/drivers/accel/qaic/qaic_control.c b/drivers/accel/qaic/qaic_control.c
index 03932197f1ac..7c3f9009617f 100644
--- a/drivers/accel/qaic/qaic_control.c
+++ b/drivers/accel/qaic/qaic_control.c
@@ -424,9 +424,12 @@  static int find_and_map_user_pages(struct qaic_device *qdev,
 	}
 
 	ret = get_user_pages_fast(xfer_start_addr, nr_pages, 0, page_list);
-	if (ret < 0 || ret != nr_pages) {
-		ret = -EFAULT;
+	if (ret < 0)
 		goto free_page_list;
+	if (ret != nr_pages) {
+		nr_pages = ret;
+		ret = -EFAULT;
+		goto put_pages;
 	}
 
 	sgt = kmalloc(sizeof(*sgt), GFP_KERNEL);

[5/5] accel/qaic: Fix a leak in map_user_pages()

Commit Message

Comments

Patch