Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dba59909 authored by Sebastian Ott's avatar Sebastian Ott Committed by Martin Schwidefsky
Browse files

s390/pci: fix use after free in dma_init 



After a failure during registration of the dma_table (because of the
function being in error state) we free its memory but don't reset the
associated pointer to zero.

When we then receive a notification from firmware (about the function
being in error state) we'll try to walk and free the dma_table again.

Fix this by resetting the dma_table pointer. In addition to that make
sure that we free the iommu_bitmap when appropriate.

Signed-off-by: default avatarSebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent 55f058e7

arch/s390/pci/pci_dma.c

+10 −6
Original line number Diff line number Diff line
@@ -457,7 +457,7 @@ int zpci_dma_init_device(struct zpci_dev *zdev) 
	zdev->dma_table = dma_alloc_cpu_table();

	if (!zdev->dma_table) {

		rc = -ENOMEM;

		goto out_clean;

		goto out;

	}



	/*
@@ -477,18 +477,22 @@ int zpci_dma_init_device(struct zpci_dev *zdev) 
	zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8);

	if (!zdev->iommu_bitmap) {

		rc = -ENOMEM;

		goto out_reg;

		goto free_dma_table;

	}



	rc = zpci_register_ioat(zdev, 0, zdev->start_dma, zdev->end_dma,

				(u64) zdev->dma_table);

	if (rc)

		goto out_reg;

	return 0;

		goto free_bitmap;



out_reg:

	return 0;

free_bitmap:

	vfree(zdev->iommu_bitmap);

	zdev->iommu_bitmap = NULL;

free_dma_table:

	dma_free_cpu_table(zdev->dma_table);

out_clean:

	zdev->dma_table = NULL;

out:

	return rc;

}