From c618a9be0e8c0f36baee2560860a0118a428fb26 Mon Sep 17 00:00:00 2001 From: Nicolas Ferre Date: Tue, 11 Sep 2012 17:21:44 +0200 Subject: [PATCH 1/4] dmaengine: at_hdmac: fix comment in atc_prep_slave_sg() s/dma_memcpy/slave_sg/ and it is sg length that we are talking about. Signed-off-by: Nicolas Ferre Cc: Stable [2.6.31+] Signed-off-by: Vinod Koul --- drivers/dma/at_hdmac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c index 3934fcc4e00b..6c09e186e960 100644 --- a/drivers/dma/at_hdmac.c +++ b/drivers/dma/at_hdmac.c @@ -661,7 +661,7 @@ atc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, flags); if (unlikely(!atslave || !sg_len)) { - dev_dbg(chan2dev(chan), "prep_dma_memcpy: length is zero!\n"); + dev_dbg(chan2dev(chan), "prep_slave_sg: sg length is zero!\n"); return NULL; } From c456797681db814f4f5b36909e8e94047bf53d9c Mon Sep 17 00:00:00 2001 From: Nicolas Ferre Date: Tue, 11 Sep 2012 17:21:45 +0200 Subject: [PATCH 2/4] dmaengine: at_hdmac: check that each sg data length is non-null Avoid the construction of a malformed DMA request sent to the DMA controller. Log message is for debug only because this condition is unlikely to append and may only trigger at driver development time. Signed-off-by: Nicolas Ferre Cc: Stable [2.6.31+] Signed-off-by: Vinod Koul --- drivers/dma/at_hdmac.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/drivers/dma/at_hdmac.c b/drivers/dma/at_hdmac.c index 6c09e186e960..7ab6e26664a7 100644 --- a/drivers/dma/at_hdmac.c +++ b/drivers/dma/at_hdmac.c @@ -689,6 +689,11 @@ atc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, mem = sg_dma_address(sg); len = sg_dma_len(sg); + if (unlikely(!len)) { + dev_dbg(chan2dev(chan), + "prep_slave_sg: sg(%d) data length is zero\n", i); + goto err; + } mem_width = 2; if (unlikely(mem & 3 || len & 3)) mem_width = 0; @@ -724,6 +729,11 @@ atc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, mem = sg_dma_address(sg); len = sg_dma_len(sg); + if (unlikely(!len)) { + dev_dbg(chan2dev(chan), + "prep_slave_sg: sg(%d) data length is zero\n", i); + goto err; + } mem_width = 2; if (unlikely(mem & 3 || len & 3)) mem_width = 0; @@ -757,6 +767,7 @@ atc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl, err_desc_get: dev_err(chan2dev(chan), "not enough descriptors available\n"); +err: atc_desc_put(atchan, first); return NULL; } From 2e2c682becb20416c140aa0d6d3137b51a5c76da Mon Sep 17 00:00:00 2001 From: Sachin Kamat Date: Mon, 17 Sep 2012 15:20:22 +0530 Subject: [PATCH 3/4] DMA: PL330: Fix potential NULL pointer dereference in pl330_submit_req() 'r->cfg' is being checked for NULL. However, it is dereferenced in the previous statements. Thus moving those statements within the check. Signed-off-by: Sachin Kamat Acked-by: Jassi Brar Cc: Stable Signed-off-by: Vinod Koul --- drivers/dma/pl330.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c index e4feba6b03c0..a3b26ada8122 100644 --- a/drivers/dma/pl330.c +++ b/drivers/dma/pl330.c @@ -1567,17 +1567,19 @@ static int pl330_submit_req(void *ch_id, struct pl330_req *r) goto xfer_exit; } - /* Prefer Secure Channel */ - if (!_manager_ns(thrd)) - r->cfg->nonsecure = 0; - else - r->cfg->nonsecure = 1; /* Use last settings, if not provided */ - if (r->cfg) + if (r->cfg) { + /* Prefer Secure Channel */ + if (!_manager_ns(thrd)) + r->cfg->nonsecure = 0; + else + r->cfg->nonsecure = 1; + ccr = _prepare_ccr(r->cfg); - else + } else { ccr = readl(regs + CC(thrd->id)); + } /* If this req doesn't have valid xfer settings */ if (!_is_valid(ccr)) { From 61c6e7531d3b66b33187b8cdd700fd8ab93ffd62 Mon Sep 17 00:00:00 2001 From: Sachin Kamat Date: Mon, 17 Sep 2012 15:20:23 +0530 Subject: [PATCH 4/4] DMA: PL330: Check the pointer returned by kzalloc kzalloc could return NULL. Hence add a check to avoid NULL pointer dereference. Signed-off-by: Sachin Kamat Acked-by: Jassi Brar Cc: Stable Signed-off-by: Vinod Koul --- drivers/dma/pl330.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c index a3b26ada8122..f5843bc80baa 100644 --- a/drivers/dma/pl330.c +++ b/drivers/dma/pl330.c @@ -2930,6 +2930,11 @@ pl330_probe(struct amba_device *adev, const struct amba_id *id) num_chan = max_t(int, pi->pcfg.num_peri, pi->pcfg.num_chan); pdmac->peripherals = kzalloc(num_chan * sizeof(*pch), GFP_KERNEL); + if (!pdmac->peripherals) { + ret = -ENOMEM; + dev_err(&adev->dev, "unable to allocate pdmac->peripherals\n"); + goto probe_err5; + } for (i = 0; i < num_chan; i++) { pch = &pdmac->peripherals[i];