When 'mcf_edma' is allocated, some space is allocated for a flexible array at the end of the struct. 'chans' item are allocated, that is to say 'pdata->dma_channels'.

Message ID f55d9154b7c600828f6fad3ea5fa791a5f17b9a4.1685172449.git.christophe.jaillet@wanadoo.fr
State New
Headers
Series When 'mcf_edma' is allocated, some space is allocated for a flexible array at the end of the struct. 'chans' item are allocated, that is to say 'pdata->dma_channels'. |

Commit Message

Christophe JAILLET May 27, 2023, 7:32 a.m. UTC
  Then, this number of item is stored in 'mcf_edma->n_chans'.

A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64
is set.

This ends to no space allocated by devm_kzalloc() because chans was 0, but
64 items are read and/or written in some not allocated memory.

Change the logic to define a default value before allocating the memory.

Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
---
If I'm correct, then:

   - the default value is hard-coded as 64. There is also a
        #define EDMA_CHANNELS 64
     which maybe could be used, or renamed as EDMA_DEFAULT_CHANNELS

   - mcf_edma_err_handler() looks bogus, because it considers that
     mcf_edma->chans has EDMA_CHANNELS items.
     I guess that something related to mcf_edma->n_chans is what is
     expected, but how should this be done?

Maybe, the EDMA_CHANNELS value should be used all the time?
Maybe, the number of chans should be limited to EDMA_CHANNELS?
Maybe, the number of chans should be at least EDMA_CHANNELS?

Maybe, maybe, maybe, but me, I don't know :(

All I know is that this patch compiles :)
and that it can gives Dan an idea for smatch for checking access to un-allocated
memory related to flexible array :)
---
 drivers/dma/mcf-edma.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)
  

Comments

Christophe JAILLET May 27, 2023, 7:43 a.m. UTC | #1
Le 27/05/2023 à 09:32, Christophe JAILLET a écrit :
> Then, this number of item is stored in 'mcf_edma->n_chans'.
> 
> A few lines later, if 'mcf_edma->n_chans' is 0, then a default value of 64
> is set.
> 
> This ends to no space allocated by devm_kzalloc() because chans was 0, but
> 64 items are read and/or written in some not allocated memory.
> 
> Change the logic to define a default value before allocating the memory.
> 
> Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---
> If I'm correct, then:
> 
>     - the default value is hard-coded as 64. There is also a
>          #define EDMA_CHANNELS 64
>       which maybe could be used, or renamed as EDMA_DEFAULT_CHANNELS
> 
>     - mcf_edma_err_handler() looks bogus, because it considers that
>       mcf_edma->chans has EDMA_CHANNELS items.
>       I guess that something related to mcf_edma->n_chans is what is
>       expected, but how should this be done?
> 
> Maybe, the EDMA_CHANNELS value should be used all the time?
> Maybe, the number of chans should be limited to EDMA_CHANNELS?
> Maybe, the number of chans should be at least EDMA_CHANNELS?
> 
> Maybe, maybe, maybe, but me, I don't know :(
> 
> All I know is that this patch compiles :)
> and that it can gives Dan an idea for smatch for checking access to un-allocated
> memory related to flexible array :)
> ---
>   drivers/dma/mcf-edma.c | 13 +++++++------
>   1 file changed, 7 insertions(+), 6 deletions(-)
> 

NAK, subject line missing.

A better V2 has been sent.
  

Patch

diff --git a/drivers/dma/mcf-edma.c b/drivers/dma/mcf-edma.c
index ebd8733f72ad..9413fad08a60 100644
--- a/drivers/dma/mcf-edma.c
+++ b/drivers/dma/mcf-edma.c
@@ -190,7 +190,13 @@  static int mcf_edma_probe(struct platform_device *pdev)
 		return -EINVAL;
 	}
 
-	chans = pdata->dma_channels;
+	if (!pdata->dma_channels) {
+		dev_info(&pdev->dev, "setting default channel number to 64");
+		chans = 64;
+	} else {
+		chans = pdata->dma_channels;
+	}
+
 	len = sizeof(*mcf_edma) + sizeof(*mcf_chan) * chans;
 	mcf_edma = devm_kzalloc(&pdev->dev, len, GFP_KERNEL);
 	if (!mcf_edma)
@@ -202,11 +208,6 @@  static int mcf_edma_probe(struct platform_device *pdev)
 	mcf_edma->drvdata = &mcf_data;
 	mcf_edma->big_endian = 1;
 
-	if (!mcf_edma->n_chans) {
-		dev_info(&pdev->dev, "setting default channel number to 64");
-		mcf_edma->n_chans = 64;
-	}
-
 	mutex_init(&mcf_edma->fsl_edma_mutex);
 
 	mcf_edma->membase = devm_platform_ioremap_resource(pdev, 0);