From patchwork Sun Sep 13 20:15:53 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Emilio_L=C3=B3pez?= X-Patchwork-Id: 7170931 Return-Path: X-Original-To: patchwork-dmaengine@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id B4F1E9F326 for ; Sun, 13 Sep 2015 21:01:59 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id D09F02065B for ; Sun, 13 Sep 2015 21:01:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C5BF1205FE for ; Sun, 13 Sep 2015 21:01:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755220AbbIMVB5 (ORCPT ); Sun, 13 Sep 2015 17:01:57 -0400 Received: from yotta.elopez.com.ar ([185.83.216.59]:41675 "EHLO yotta.elopez.com.ar" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755199AbbIMVB5 (ORCPT ); Sun, 13 Sep 2015 17:01:57 -0400 X-Greylist: delayed 2662 seconds by postgrey-1.27 at vger.kernel.org; Sun, 13 Sep 2015 17:01:56 EDT DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=elopez.com.ar; s=mail; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-Id:Date:Subject:Cc:To:From; bh=ZPuMUt4NH2TgqKfv4OI5hdJHPQbpPbybtyMtP1CsLZ8=; b=YqAdf/HJefQuUtvA+JZFrQntnx 4kMFjLl31lL062X5jkauaPIb7IRkcIAWUKcecpa5D/MlrCYklQVVHGmOqDZv+XlB+sI1CP8MW7ykW tDG6+NpGdmfSKEP/q0grDnSHsM5a+3/KPhp5Fd5n9tLC0EVkwtf2Mx1RMVYEKQS2Rj2aKaJVB2ZeE Myz4kSL4Lm7kvpkg8bNpSPTzLMxoHjJBEuYqAPpgU5u6pUqKh2nYJFDH3a5942BIT1nfLQAnKwFjd ds/g+E/E/Eg7yzffwVo7ASiHd3VPDYwNSHOfV4bQ80tnI/Ke1l3rKlcCMBxUCugICHxCcuNlKXxSO rDh0Bv8w==; Received: from 201-212-128-157.cab.prima.net.ar ([201.212.128.157] helo=desktop.lan) by yotta.elopez.com.ar with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_CBC_SHA256:128) (Exim 4.86) id 1ZbDiL-0007Q1-Vo; Sun, 13 Sep 2015 17:17:30 -0300 From: =?UTF-8?q?Emilio=20L=C3=B3pez?= To: vinod.koul@intel.com, maxime.ripard@free-electrons.com Cc: dan.j.williams@intel.com, dmaengine@vger.kernel.org, linux-arm-kernel@lists.infradead.org, dan.carpenter@oracle.com, =?UTF-8?q?Emilio=20L=C3=B3pez?= Subject: [PATCH] dmaengine: sun4i: fix unsafe list iteration Date: Sun, 13 Sep 2015 17:15:53 -0300 Message-Id: <1442175353-4433-1-git-send-email-emilio@elopez.com.ar> X-Mailer: git-send-email 2.5.1 MIME-Version: 1.0 Sender: dmaengine-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: dmaengine@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Currently, sun4i_dma_free_contract iterates over lists and frees memory as it goes through them, causing reads to recently freed memory to be performed. Fix this by using the safe version of the iterator, so freed memory is not referenced at all. Reported-by: Dan Carpenter Signed-off-by: Emilio López Acked-by: Maxime Ripard --- Hi, This is a patch to fix an issue pointed out by Dan on http://www.spinics.net/lists/dmaengine/msg05822.html I didn't get a chance to test a system with this, but it looks trivial enough and it builds. This should go in the -rc cycle, and there's no need for stable as the driver just landed this merge window. Cheers, Emilio drivers/dma/sun4i-dma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/dma/sun4i-dma.c b/drivers/dma/sun4i-dma.c index a1a500d..1661d518 100644 --- a/drivers/dma/sun4i-dma.c +++ b/drivers/dma/sun4i-dma.c @@ -599,13 +599,13 @@ get_next_cyclic_promise(struct sun4i_dma_contract *contract) static void sun4i_dma_free_contract(struct virt_dma_desc *vd) { struct sun4i_dma_contract *contract = to_sun4i_dma_contract(vd); - struct sun4i_dma_promise *promise; + struct sun4i_dma_promise *promise, *tmp; /* Free all the demands and completed demands */ - list_for_each_entry(promise, &contract->demands, list) + list_for_each_entry_safe(promise, tmp, &contract->demands, list) kfree(promise); - list_for_each_entry(promise, &contract->completed_demands, list) + list_for_each_entry_safe(promise, tmp, &contract->completed_demands, list) kfree(promise); kfree(contract);