| Message ID | 151001140261.77201.8823780763771880199.stgit@alans-desktop (mailing list archive) |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | Sakari Ailus |
| Headers |
Received: from vger.kernel.org ([209.132.180.67]) by www.linuxtv.org with esmtp (Exim 4.84_2) (envelope-from <linux-media-owner@vger.kernel.org>) id 1eBqxn-0003cr-UJ; Mon, 06 Nov 2017 23:37:56 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753868AbdKFXhw (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Mon, 6 Nov 2017 18:37:52 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:48132 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752914AbdKFXhu (ORCPT <rfc822;linux-media@vger.kernel.org>); Mon, 6 Nov 2017 18:37:50 -0500 Received: from [10.40.0.25] (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id vA6Nak2Q018578; Mon, 6 Nov 2017 23:36:46 GMT Subject: [PATCH 2/3] atomisp: fix vfree of bogus data on unload From: Alan <alan@linux.intel.com> To: vincent.hervieux@gmail.com, sakari.ailus@linux.intel.com, linux-media@vger.kernel.org Date: Mon, 06 Nov 2017 23:36:45 +0000 Message-ID: <151001140261.77201.8823780763771880199.stgit@alans-desktop> In-Reply-To: <151001137594.77201.4306351721772580664.stgit@alans-desktop> References: <151001137594.77201.4306351721772580664.stgit@alans-desktop> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org |
Commit Message
Alan Cox
Nov. 6, 2017, 11:36 p.m. UTC
We load the firmware once, set pointers to it and then at some point release
it. We should not be doing a vfree() on the pointers into the firmware.
Signed-off-by: Alan Cox <alan@linux.intel.com>
---
.../atomisp/pci/atomisp2/css2400/sh_css_firmware.c | 2 --
1 file changed, 2 deletions(-)
Comments
Hi Alan, On Mon, Nov 06, 2017 at 11:36:45PM +0000, Alan wrote: > We load the firmware once, set pointers to it and then at some point release > it. We should not be doing a vfree() on the pointers into the firmware. > > Signed-off-by: Alan Cox <alan@linux.intel.com> > --- > .../atomisp/pci/atomisp2/css2400/sh_css_firmware.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > index 8158ea40d069..f181bd8fcee2 100644 > --- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > +++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > @@ -288,8 +288,6 @@ void sh_css_unload_firmware(void) > for (i = 0; i < sh_css_num_binaries; i++) { > if (fw_minibuffer[i].name) > kfree((void *)fw_minibuffer[i].name); > - if (fw_minibuffer[i].buffer) > - vfree((void *)fw_minibuffer[i].buffer); You shouldn't end up here if the firmware is just loaded once. If multiple times, then yes. The memory appears to have been allocated using kmalloc() in some cases. How about kvfree(), or changing that kmalloc() to vmalloc()? > } > kfree(fw_minibuffer); > fw_minibuffer = NULL; >
On Tue, 14 Nov 2017 00:05:48 +0200 Sakari Ailus <sakari.ailus@linux.intel.com> wrote: > Hi Alan, > > On Mon, Nov 06, 2017 at 11:36:45PM +0000, Alan wrote: > > We load the firmware once, set pointers to it and then at some point release > > it. We should not be doing a vfree() on the pointers into the firmware. > > > > Signed-off-by: Alan Cox <alan@linux.intel.com> > > --- > > .../atomisp/pci/atomisp2/css2400/sh_css_firmware.c | 2 -- > > 1 file changed, 2 deletions(-) > > > > diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > index 8158ea40d069..f181bd8fcee2 100644 > > --- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > +++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > @@ -288,8 +288,6 @@ void sh_css_unload_firmware(void) > > for (i = 0; i < sh_css_num_binaries; i++) { > > if (fw_minibuffer[i].name) > > kfree((void *)fw_minibuffer[i].name); > > - if (fw_minibuffer[i].buffer) > > - vfree((void *)fw_minibuffer[i].buffer); > > You shouldn't end up here if the firmware is just loaded once. If multiple > times, then yes. You end up there when unloading the module. > The memory appears to have been allocated using kmalloc() in some cases. > How about kvfree(), or changing that kmalloc() to vmalloc() I'll take a deeper look at what is going on. Alan
On Tue, Nov 14, 2017 at 12:16:01AM +0000, Alan Cox wrote: > On Tue, 14 Nov 2017 00:05:48 +0200 > Sakari Ailus <sakari.ailus@linux.intel.com> wrote: > > > Hi Alan, > > > > On Mon, Nov 06, 2017 at 11:36:45PM +0000, Alan wrote: > > > We load the firmware once, set pointers to it and then at some point release > > > it. We should not be doing a vfree() on the pointers into the firmware. > > > > > > Signed-off-by: Alan Cox <alan@linux.intel.com> > > > --- > > > .../atomisp/pci/atomisp2/css2400/sh_css_firmware.c | 2 -- > > > 1 file changed, 2 deletions(-) > > > > > > diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > > index 8158ea40d069..f181bd8fcee2 100644 > > > --- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > > +++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c > > > @@ -288,8 +288,6 @@ void sh_css_unload_firmware(void) > > > for (i = 0; i < sh_css_num_binaries; i++) { > > > if (fw_minibuffer[i].name) > > > kfree((void *)fw_minibuffer[i].name); > > > - if (fw_minibuffer[i].buffer) > > > - vfree((void *)fw_minibuffer[i].buffer); > > > > You shouldn't end up here if the firmware is just loaded once. If multiple > > times, then yes. > > You end up there when unloading the module. Ah, that's for sure indeed. I thought loading would be already a challenge. :-) > > > The memory appears to have been allocated using kmalloc() in some cases. > > How about kvfree(), or changing that kmalloc() to vmalloc() > > I'll take a deeper look at what is going on. Look for minibuffer in sh_css_load_blob_info(). The buffer field of the struct is allocated using kmalloc, I wonder if changing that to vmalloc would just address this. The buffer is elsewhere allocated using vmalloc. I suspect that some of the cleanup patches changed how this works but missed changing the other one.
diff --git a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c index 8158ea40d069..f181bd8fcee2 100644 --- a/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c +++ b/drivers/staging/media/atomisp/pci/atomisp2/css2400/sh_css_firmware.c @@ -288,8 +288,6 @@ void sh_css_unload_firmware(void) for (i = 0; i < sh_css_num_binaries; i++) { if (fw_minibuffer[i].name) kfree((void *)fw_minibuffer[i].name); - if (fw_minibuffer[i].buffer) - vfree((void *)fw_minibuffer[i].buffer); } kfree(fw_minibuffer); fw_minibuffer = NULL;