On 03-06-20, 22:59, gaurav singh wrote:
> The check: if (chan && (!len || !dest || !src)) indicates that chan can be
> NULL, however chan is dereferenced in multiple locations later without
> check. In the function: sf_pdma_alloc_desc() and later: chan->desc = desc;
> This can cause segmentation fault if chan is NULL and it doesn't return in
> the first check. To fix, this: add the check for chan right in the
> beginning.
>
> Please find the patch below. Let me know if there's any issue.
1. please send using git-send-email
2. pls run checkpatch, below formatting is crap
>
> Thank you.
> Gaurav.
>
> >From a2f18613751b4ce5b0dba3a273a75957d872ccd3 Mon Sep 17 00:00:00 2001
> From: Gaurav Singh <gaurav1086@xxxxxxxxx>
> Date: Wed, 3 Jun 2020 22:52:31 -0400
> Subject: [PATCH] dma_async_tx_descriptor: Fix null pointer dereference
Care to explain which null pointer dereference?
Also reread Documentation/process/submitting-patches.rst esp word about
subject lines
>
> ---
> drivers/dma/sf-pdma/sf-pdma.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/dma/sf-pdma/sf-pdma.c b/drivers/dma/sf-pdma/sf-pdma.c
> index 6d0bec947636..0cbc7b379d11 100644
> --- a/drivers/dma/sf-pdma/sf-pdma.c
> +++ b/drivers/dma/sf-pdma/sf-pdma.c
> @@ -94,7 +94,11 @@ sf_pdma_prep_dma_memcpy(struct dma_chan *dchan,
> dma_addr_t dest, dma_addr_t src,
> struct sf_pdma_chan *chan = to_sf_pdma_chan(dchan);
> struct sf_pdma_desc *desc;
>
> - if (chan && (!len || !dest || !src)) {
> + if (!chan) {
> + return NULL;
> + }
> +
> + if (!len || !dest || !src) {
> dev_err(chan->pdma->dma_dev.dev,
> "Please check dma len, dest, src!\n");
> return NULL;
> --
> 2.17.1
--
~Vinod
