On 4/13/22 22:56, Xiaomeng Tong wrote:
The bug is here: pmem->vaddr = NULL;
The list iterator 'pmem' will point to a bogus position containing HEAD if the list is empty or no element is found. This case must be checked before any use of the iterator, otherwise it will lead to a invalid memory access.
To fix this bug, just gen_pool_free/set NULL/list_del() and return when found, otherwise list_del HEAD and return;
Cc: stable@vger.kernel.org Fixes: 7ca5ce896524f ("firmware: add Intel Stratix10 service layer driver") Signed-off-by: Xiaomeng Tong xiam0nd.tong@gmail.com
drivers/firmware/stratix10-svc.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/firmware/stratix10-svc.c b/drivers/firmware/stratix10-svc.c index 29c0a616b317..30093aa82b7f 100644 --- a/drivers/firmware/stratix10-svc.c +++ b/drivers/firmware/stratix10-svc.c @@ -941,17 +941,17 @@ EXPORT_SYMBOL_GPL(stratix10_svc_allocate_memory); void stratix10_svc_free_memory(struct stratix10_svc_chan *chan, void *kaddr) { struct stratix10_svc_data_mem *pmem;
- size_t size = 0;
list_for_each_entry(pmem, &svc_data_mem, node) if (pmem->vaddr == kaddr) {
size = pmem->size;break;
gen_pool_free(chan->ctrl->genpool,(unsigned long)kaddr, pmem->size);pmem->vaddr = NULL;list_del(&pmem->node);return;
- gen_pool_free(chan->ctrl->genpool, (unsigned long)kaddr, size);
- pmem->vaddr = NULL;
- list_del(&pmem->node);
- list_del(&svc_data_mem); } EXPORT_SYMBOL_GPL(stratix10_svc_free_memory);
Acked-by: Dinh Nguyen dinguyen@kernel.org