From patchwork Tue Sep 23 19:41:11 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Einon X-Patchwork-Id: 392650 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id BAE40140095 for ; Wed, 24 Sep 2014 05:42:50 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756611AbaIWTlZ (ORCPT ); Tue, 23 Sep 2014 15:41:25 -0400 Received: from mail-we0-f171.google.com ([74.125.82.171]:46990 "EHLO mail-we0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753815AbaIWTlY (ORCPT ); Tue, 23 Sep 2014 15:41:24 -0400 Received: by mail-we0-f171.google.com with SMTP id k48so5077903wev.16 for ; Tue, 23 Sep 2014 12:41:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=wBf2vfIawDdUKfIAGKkZJMbqg8RR8pSOZk8j7GEPKvo=; b=rqF/wkvzftkkPSJ84xVz6L9HzapjSlqTJZ/7y3toHbFzg4T9zqnMCdPZtpwOh2OZcr Q/tjtbHLDNa1dsIpf32jY42tnhb39vgehTXijGIwLQS6xu8gaBj1x8W4dNkWunqO/f7O hj8u+TIkf/cnTQeDwJRoWquZGduVLjh/zIKabYjhRKnPwrKLV/g+EGRnZJhRv2+oV+Xo Mdk3D5soXmu7xAFia3HFlR9cufVD+c4LmGccKmneFce0Yx80sKrMw07FmMD++nFgShCx pyCH2d3NAttu1eVIw8XcY6P/hQxxSMyqvlpToWm7pvR7P0T5DZDzyfcMfwmR12wXm9dr U1jQ== X-Received: by 10.180.14.74 with SMTP id n10mr26006603wic.50.1411501283060; Tue, 23 Sep 2014 12:41:23 -0700 (PDT) Received: from msilap.einon.net ([80.229.23.162]) by mx.google.com with ESMTPSA id s7sm16967133wjo.48.2014.09.23.12.41.21 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Sep 2014 12:41:21 -0700 (PDT) From: Mark Einon To: gregkh@linuxfoundation.org Cc: devel@driverdev.osuosl.org, tklauser@distanz.ch, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Einon Subject: [PATCH 1/4] staging: et131x: zero allocation of fbr to prevent random address access Date: Tue, 23 Sep 2014 20:41:11 +0100 Message-Id: <1411501274-2970-1-git-send-email-mark.einon@gmail.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <20140923100106.GE4657@distanz.ch> References: <20140923100106.GE4657@distanz.ch> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org If et131x_rx_dma_memory_alloc() allocates rx_ring->fbr[0] but fails to allocate rx_ring->fbr[1], this leaves fbr[0]->ring_virtaddr with the possibility of being accessed in et131x_rx_dma_memory_free() as it contains a random value, potentially causing an oops. Fix this by zeroing the fbr memory on allocation. Subsequent frees of this fbr memory explicitly zeros the ring_virtaddr value. Reported-by: Tobias Klauser Signed-off-by: Mark Einon --- drivers/staging/et131x/et131x.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/et131x/et131x.c b/drivers/staging/et131x/et131x.c index 93afd61..2889f86 100644 --- a/drivers/staging/et131x/et131x.c +++ b/drivers/staging/et131x/et131x.c @@ -2003,10 +2003,10 @@ static int et131x_rx_dma_memory_alloc(struct et131x_adapter *adapter) struct fbr_lookup *fbr; /* Alloc memory for the lookup table */ - rx_ring->fbr[0] = kmalloc(sizeof(*fbr), GFP_KERNEL); + rx_ring->fbr[0] = kzalloc(sizeof(*fbr), GFP_KERNEL); if (rx_ring->fbr[0] == NULL) return -ENOMEM; - rx_ring->fbr[1] = kmalloc(sizeof(*fbr), GFP_KERNEL); + rx_ring->fbr[1] = kzalloc(sizeof(*fbr), GFP_KERNEL); if (rx_ring->fbr[1] == NULL) return -ENOMEM;