| Message ID | 1442175353-4433-1-git-send-email-emilio@elopez.com.ar |
|---|---|
| State | New |
| Headers | show |
On Sun, Sep 13, 2015 at 05:15:53PM -0300, Emilio López wrote: > Currently, sun4i_dma_free_contract iterates over lists and frees memory > as it goes through them, causing reads to recently freed memory to > be performed. Fix this by using the safe version of the iterator, so > freed memory is not referenced at all. > > Reported-by: Dan Carpenter <dan.carpenter@oracle.com> > Signed-off-by: Emilio López <emilio@elopez.com.ar> Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com> Thanks! Maxime
On Sun, Sep 13, 2015 at 05:15:53PM -0300, Emilio López wrote: > Currently, sun4i_dma_free_contract iterates over lists and frees memory > as it goes through them, causing reads to recently freed memory to > be performed. Fix this by using the safe version of the iterator, so > freed memory is not referenced at all. Applied, thanks
diff --git a/drivers/dma/sun4i-dma.c b/drivers/dma/sun4i-dma.c index a1a500d..1661d518 100644 --- a/drivers/dma/sun4i-dma.c +++ b/drivers/dma/sun4i-dma.c @@ -599,13 +599,13 @@ get_next_cyclic_promise(struct sun4i_dma_contract *contract) static void sun4i_dma_free_contract(struct virt_dma_desc *vd) { struct sun4i_dma_contract *contract = to_sun4i_dma_contract(vd); - struct sun4i_dma_promise *promise; + struct sun4i_dma_promise *promise, *tmp; /* Free all the demands and completed demands */ - list_for_each_entry(promise, &contract->demands, list) + list_for_each_entry_safe(promise, tmp, &contract->demands, list) kfree(promise); - list_for_each_entry(promise, &contract->completed_demands, list) + list_for_each_entry_safe(promise, tmp, &contract->completed_demands, list) kfree(promise); kfree(contract);
Currently, sun4i_dma_free_contract iterates over lists and frees memory as it goes through them, causing reads to recently freed memory to be performed. Fix this by using the safe version of the iterator, so freed memory is not referenced at all. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Emilio López <emilio@elopez.com.ar> --- Hi, This is a patch to fix an issue pointed out by Dan on http://www.spinics.net/lists/dmaengine/msg05822.html I didn't get a chance to test a system with this, but it looks trivial enough and it builds. This should go in the -rc cycle, and there's no need for stable as the driver just landed this merge window. Cheers, Emilio drivers/dma/sun4i-dma.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)