[PATCH 5.4 160/408] dmaengine: dmatest: Check list for emptiness before access its last entry

From: Greg Kroah-Hartman
Date: Tue Oct 27 2020 - 13:37:29 EST


From: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>

[ Upstream commit b28de385b71abf31ce68ec0387638bee26ae9024 ]

After writing a garbage to the channel we get an Oops in dmatest_chan_set()
due to access to last entry in the empty list.

[ 212.670672] BUG: unable to handle page fault for address: fffffff000000020
[ 212.677562] #PF: supervisor read access in kernel mode
[ 212.682702] #PF: error_code(0x0000) - not-present page
...
[ 212.710074] RIP: 0010:dmatest_chan_set+0x149/0x2d0 [dmatest]
[ 212.715739] Code: e8 cc f9 ff ff 48 8b 1d 0d 55 00 00 48 83 7b 10 00 0f 84 63 01 00 00 48 c7 c7 d0 65 4d c0 e8 ee 4a f5 e1 48 89 c6 48 8b 43 10 <48> 8b 40 20 48 8b 78 58 48 85 ff 0f 84 f5 00 00 00 e8 b1 41 f5 e1

Fix this by checking list for emptiness before accessing its last entry.

Fixes: d53513d5dc28 ("dmaengine: dmatest: Add support for multi channel testing")
Cc: Vladimir Murzin <vladimir.murzin@xxxxxxx>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
Tested-by: Peter Ujfalusi <peter.ujfalusi@xxxxxx>
Link: https://lore.kernel.org/r/20200922115847.30100-2-andriy.shevchenko@xxxxxxxxxxxxxxx
Signed-off-by: Vinod Koul <vkoul@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---
drivers/dma/dmatest.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
index 62d9825a49e9d..238936e2dfe2d 100644
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -1218,15 +1218,14 @@ static int dmatest_chan_set(const char *val, const struct kernel_param *kp)
add_threaded_test(info);

/* Check if channel was added successfully */
- dtc = list_last_entry(&info->channels, struct dmatest_chan, node);
-
- if (dtc->chan) {
+ if (!list_empty(&info->channels)) {
/*
* if new channel was not successfully added, revert the
* "test_channel" string to the name of the last successfully
* added channel. exception for when users issues empty string
* to channel parameter.
*/
+ dtc = list_last_entry(&info->channels, struct dmatest_chan, node);
if ((strcmp(dma_chan_name(dtc->chan), strim(test_channel)) != 0)
&& (strcmp("", strim(test_channel)) != 0)) {
ret = -EINVAL;
--
2.25.1