dmaengine: dw-edma: Fix use after free in dw_edma_alloc_chunk()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If the dw_edma_alloc_burst() function fails then we free "chunk" but
it's still on the "desc->chunk->list" list so it will lead to a use
after free. Also the "->chunks_alloc" count is incremented when it
shouldn't be.

In current kernels small allocations are guaranteed to succeed and
dw_edma_alloc_burst() can't fail so this will not actually affect
runtime.

Fixes: e63d79d1ffcd ("dmaengine: Add Synopsys eDMA IP core driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
Link: https://lore.kernel.org/r/X9dTBFrUPEvvW7qc@mwanda
Signed-off-by: Vinod Koul <vkoul@kernel.org>

authored by

Dan Carpenter and committed by

Vinod Koul 5 years ago 595a3341 d645148c

+2 -2

1 changed file

expand all

drivers

dma

dw-edma

dw-edma-core.c

+2 -2

drivers/dma/dw-edma/dw-edma-core.c

··· 86 86 87 87 if (desc->chunk) { 88 88 /* Create and add new element into the linked list */ 89 - desc->chunks_alloc++; 90 - list_add_tail(&chunk->list, &desc->chunk->list); 91 89 if (!dw_edma_alloc_burst(chunk)) { 92 90 kfree(chunk); 93 91 return NULL; 94 92 } 93 + desc->chunks_alloc++; 94 + list_add_tail(&chunk->list, &desc->chunk->list); 95 95 } else { 96 96 /* List head */ 97 97 chunk->burst = NULL;