> Ben Wolsieffer <benwolsieffer@xxxxxxxxx> hat am 4. November 2018 um 00:32 geschrieben: > > > The compatibility ioctl wrapper for VCHIQ_IOC_AWAIT_COMPLETION assumes that > the native ioctl always uses a message buffer and decrements msgbufcount. > Certain message types do not use a message buffer and in this case > msgbufcount is not decremented, and completion->header for the message is > NULL. Because the wrapper unconditionally decrements msgbufcount, the > calling process may assume that a message buffer has been used even when > it has not. > > This results in a memory leak in the userspace code that interfaces with > this driver. When msgbufcount is decremented, the userspace code assumes > that the buffer can be freed though the reference in completion->header, > which cannot happen when the reference is NULL. > > This patch causes the wrapper to only decrement msgbufcount when the > native ioctl decrements it. Note that we cannot simply copy the native > ioctl's value of msgbufcount, because the wrapper only retrieves messages > from the native ioctl one at a time, while userspace may request multiple > messages. > > See https://github.com/raspberrypi/linux/pull/2703 for more discussion of > this patch. > > Fixes: 5569a12 ("staging: vchiq_arm: Add compatibility wrappers for ioctls") > > Signed-off-by: Ben Wolsieffer <benwolsieffer@xxxxxxxxx> Acked-by: Stefan Wahren <stefan.wahren@xxxxxxxx> _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
