ab4a8be7cb
commit 229e6ee43d2a160a1592b83aad620d6027084aad upstream.
Null pointer dereference occurs due to a race between smmu
driver probe and client driver probe, when of_dma_configure()
for client is called after the iommu_device_register() for smmu driver
probe has executed but before the driver_bound() for smmu driver
has been called.
Following is how the race occurs:
T1:Smmu device probe T2: Client device probe
really_probe()
arm_smmu_device_probe()
iommu_device_register()
really_probe()
platform_dma_configure()
of_dma_configure()
of_dma_configure_id()
of_iommu_configure()
iommu_probe_device()
iommu_init_device()
arm_smmu_probe_device()
arm_smmu_get_by_fwnode()
driver_find_device_by_fwnode()
driver_find_device()
next_device()
klist_next()
/* null ptr
assigned to smmu */
/* null ptr dereference
while smmu->streamid_mask */
driver_bound()
klist_add_tail()
When this null smmu pointer is dereferenced later in
arm_smmu_probe_device, the device crashes.
Fix this by deferring the probe of the client device
until the smmu device has bound to the arm smmu driver.
Fixes: 021bb8420d44 ("iommu/arm-smmu: Wire up generic configuration support")
Cc: stable@vger.kernel.org
Co-developed-by: Prakash Gupta <quic_guptap@quicinc.com>
Signed-off-by: Prakash Gupta <quic_guptap@quicinc.com>
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
Link: https://lore.kernel.org/r/20241004090428.2035-1-quic_pbrahma@quicinc.com
[will: Add comment]
Signed-off-by: Will Deacon <will@kernel.org>
[rm: backport for context conflict prior to 6.8]
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|---|---|---|
| .. | ||
| amd | ||
| arm | ||
| intel | ||
| dma-iommu.c | ||
| exynos-cpif-iommu.c | ||
| exynos-cpif-iommu.h | ||
| exynos-iommu.c | ||
| exynos-pcie-iommu.c | ||
| exynos-pcie-iommu.h | ||
| fsl_pamu.c | ||
| fsl_pamu.h | ||
| fsl_pamu_domain.c | ||
| fsl_pamu_domain.h | ||
| hyperv-iommu.c | ||
| io-pgtable-arm-v7s.c | ||
| io-pgtable-arm.c | ||
| io-pgtable-arm.h | ||
| io-pgtable.c | ||
| ioasid.c | ||
| iommu-debugfs.c | ||
| iommu-sysfs.c | ||
| iommu-traces.c | ||
| iommu.c | ||
| iova.c | ||
| ipmmu-vmsa.c | ||
| irq_remapping.c | ||
| irq_remapping.h | ||
| Kconfig | ||
| Makefile | ||
| msm_iommu.c | ||
| msm_iommu.h | ||
| msm_iommu_hw-8xxx.h | ||
| mtk_iommu.c | ||
| mtk_iommu.h | ||
| mtk_iommu_v1.c | ||
| of_iommu.c | ||
| omap-iommu-debug.c | ||
| omap-iommu.c | ||
| omap-iommu.h | ||
| omap-iopgtable.h | ||
| rockchip-iommu.c | ||
| s390-iommu.c | ||
| samsung-iommu-fault.c | ||
| samsung-iommu-group.c | ||
| samsung-iommu.c | ||
| samsung-iommu.h | ||
| samsung-secure-iova.c | ||
| sun50i-iommu.c | ||
| tegra-gart.c | ||
| tegra-smmu.c | ||
| virtio-iommu.c | ||