From patchwork Fri Aug 21 18:02:54 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Geert Uytterhoeven <geert+renesas@glider.be>
X-Patchwork-Id: 7053331
X-Patchwork-Delegate: geert@linux-m68k.org
Return-Path: <linux-sh-owner@kernel.org>
X-Original-To: patchwork-linux-sh@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 010BC9F344
	for <patchwork-linux-sh@patchwork.kernel.org>;
	Fri, 21 Aug 2015 18:03:57 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id E0E0B20380
	for <patchwork-linux-sh@patchwork.kernel.org>;
	Fri, 21 Aug 2015 18:03:55 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id D9FE5203B0
	for <patchwork-linux-sh@patchwork.kernel.org>;
	Fri, 21 Aug 2015 18:03:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752596AbbHUSDr (ORCPT
	<rfc822;patchwork-linux-sh@patchwork.kernel.org>);
	Fri, 21 Aug 2015 14:03:47 -0400
Received: from laurent.telenet-ops.be ([195.130.137.89]:36497 "EHLO
	laurent.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751933AbbHUSD1 (ORCPT
	<rfc822;linux-sh@vger.kernel.org>); Fri, 21 Aug 2015 14:03:27 -0400
Received: from ayla.of.borg ([84.193.93.87])
	by laurent.telenet-ops.be with bizsmtp
	id 7W3H1r00N1t5w8s01W3Nj5; Fri, 21 Aug 2015 20:03:26 +0200
Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan)
	by ayla.of.borg with esmtp (Exim 4.82)
	(envelope-from <geert@linux-m68k.org>)
	id 1ZSqes-0007p1-2g; Fri, 21 Aug 2015 20:03:18 +0200
Received: from geert by ramsan with local (Exim 4.82)
	(envelope-from <geert@linux-m68k.org>)
	id 1ZSqet-0001rM-TH; Fri, 21 Aug 2015 20:03:19 +0200
From: Geert Uytterhoeven <geert+renesas@glider.be>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiri Slaby <jslaby@suse.com>
Cc: Magnus Damm <magnus.damm@gmail.com>,
	Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>,
	Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>,
	Nobuhiro Iwamatsu <iwamatsu@nigauri.org>,
	Yoshihiro Kaneko <ykaneko0929@gmail.com>,
	Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>,
	Koji Matsuoka <koji.matsuoka.xm@renesas.com>,
	Wolfram Sang <wsa@the-dreams.de>,
	Guennadi Liakhovetski <g.liakhovetski@gmx.de>,
	linux-serial@vger.kernel.org, linux-sh@vger.kernel.org,
	Geert Uytterhoeven <geert+renesas@glider.be>
Subject: [PATCH v3 30/33] serial: sh-sci: Fix NULL pointer dereference if
	HIGHMEM is enabled
Date: Fri, 21 Aug 2015 20:02:54 +0200
Message-Id: <1440180177-6924-31-git-send-email-geert+renesas@glider.be>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1440180177-6924-1-git-send-email-geert+renesas@glider.be>
References: <1440180177-6924-1-git-send-email-geert+renesas@glider.be>
Sender: linux-sh-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-sh.vger.kernel.org>
X-Mailing-List: linux-sh@vger.kernel.org
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>

This patch fixes an issue that this driver causes a NULL pointer
dereference in the following conditions:
 - CONFIG_HIGHMEM and CONFIG_SERIAL_SH_SCI_DMA are enabled
 - This driver runs on the sci_dma_rx_push()

This issue was caused by virt_to_page(buf) in the sci_request_dma()
because this driver didn't check if the "buf" was valid or not.  So,
this patch uses the "buf" from dma_alloc_coherent() as is, not page.

This patch also fixes a WARNING issue in sci_rx_dma_release():

    WARNING: CPU: 0 PID: 1328 at lib/dma-debug.c:1125 check_unmap+0x444/0x848()
    rcar-dmac e6700000.dma-controller: DMA-API: device driver frees DMA memory with different CPU address [device address=0x000000006dd89000] [size=64 bytes] [cpu alloc address=0x000000016189c000] [cpu free address=0x0000000080000000]

    WARNING: CPU: 1 PID: 1 at drivers/base/dma-mapping.c:334 dma_common_free_remap+0x48/0x6c()
    trying to free invalid coherent area:   (null)

Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
[geert] Rebased
[geert] Reworded
[geert] Dropped .rx_chunk, as it's always identical to .rx_buf[0]
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
v3:
  - Assimilated into my series.
---
 drivers/tty/serial/sh-sci.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 681e52a087c2e821..70e16f402e3108f4 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -110,6 +110,7 @@ struct sci_port {
 	dma_addr_t			tx_dma_addr;
 	unsigned int			tx_dma_len;
 	struct scatterlist		sg_rx[2];
+	void				*rx_buf[2];
 	size_t				buf_len_rx;
 	struct sh_dmae_slave		param_tx;
 	struct sh_dmae_slave		param_rx;
@@ -1301,14 +1302,13 @@ static void sci_dma_tx_complete(void *arg)
 }
 
 /* Locking: called with port lock held */
-static int sci_dma_rx_push(struct sci_port *s, struct scatterlist *sg,
-			   size_t count)
+static int sci_dma_rx_push(struct sci_port *s, void *buf, size_t count)
 {
 	struct uart_port *port = &s->port;
 	struct tty_port *tport = &port->state->port;
 	int copied;
 
-	copied = tty_insert_flip_string(tport, sg_virt(sg), count);
+	copied = tty_insert_flip_string(tport, buf, count);
 	if (copied < count) {
 		dev_warn(port->dev, "Rx overrun: dropping %zu bytes\n",
 			 count - copied);
@@ -1347,7 +1347,7 @@ static void sci_dma_rx_complete(void *arg)
 
 	active = sci_dma_rx_find_active(s);
 	if (active >= 0)
-		count = sci_dma_rx_push(s, &s->sg_rx[active], s->buf_len_rx);
+		count = sci_dma_rx_push(s, s->rx_buf[active], s->buf_len_rx);
 
 	mod_timer(&s->rx_timer, jiffies + s->rx_timeout);
 
@@ -1370,8 +1370,8 @@ static void sci_rx_dma_release(struct sci_port *s, bool enable_pio)
 	s->cookie_rx[0] = s->cookie_rx[1] = -EINVAL;
 	spin_unlock_irqrestore(&port->lock, flags);
 	dmaengine_terminate_all(chan);
-	dma_free_coherent(chan->device->dev, s->buf_len_rx * 2,
-			  sg_virt(&s->sg_rx[0]), sg_dma_address(&s->sg_rx[0]));
+	dma_free_coherent(chan->device->dev, s->buf_len_rx * 2, s->rx_buf[0],
+			  sg_dma_address(&s->sg_rx[0]));
 	dma_release_channel(chan);
 	if (enable_pio)
 		sci_start_rx(port);
@@ -1464,7 +1464,7 @@ static void work_fn_rx(struct work_struct *work)
 		dev_dbg(port->dev, "Read %u bytes with cookie %d\n", read,
 			s->active_rx);
 
-		count = sci_dma_rx_push(s, &s->sg_rx[new], read);
+		count = sci_dma_rx_push(s, s->rx_buf[new], read);
 
 		if (count)
 			tty_flip_buffer_push(&port->state->port);
@@ -1756,9 +1756,9 @@ static void sci_request_dma(struct uart_port *port)
 			struct scatterlist *sg = &s->sg_rx[i];
 
 			sg_init_table(sg, 1);
-			sg_set_page(sg, virt_to_page(buf), s->buf_len_rx,
-				    (uintptr_t)buf & ~PAGE_MASK);
+			s->rx_buf[i] = buf;
 			sg_dma_address(sg) = dma;
+			sg->length = s->buf_len_rx;
 
 			buf += s->buf_len_rx;
 			dma += s->buf_len_rx;