Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 65088296 authored by Patrick Daly's avatar Patrick Daly Committed by Gerrit - the friendly Code Review server
Browse files

dma-mapping-fast: Fix iova address leak with non-zero scatterlist offset 



The underlying arm-smmu hardware only supports mapping addresses
aligned to PAGE_SIZE. Thus the actual mapped region may be larger than
the range returned by iommu_map_sg():

[sg_dma_address(), sg_dma_address() + sg->length)

When unmapping, ensure the same alignment requirements are applied
in order to avoid leaking iova addresses.

Change-Id: I1f5d5185d003cfe104b4a67efc1fe88f105f015f
Signed-off-by: default avatarPatrick Daly <pdaly@codeaurora.org>
parent 8876d1c1

drivers/iommu/dma-mapping-fast.c

+4 −3
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.

 */



#include <linux/dma-contiguous.h>
@@ -364,7 +364,7 @@ static void fast_smmu_unmap_sg(struct device *dev, 
	struct dma_fast_smmu_mapping *mapping = dev_get_mapping(dev);

	unsigned long flags;

	dma_addr_t start;

	size_t len;

	size_t len, offset;

	struct scatterlist *tmp;

	int i;
@@ -376,12 +376,13 @@ static void fast_smmu_unmap_sg(struct device *dev, 
	 * contiguous IOVA allocation, so this is incredibly easy.

	 */

	start = sg_dma_address(sg);

	offset = start & ~FAST_PAGE_MASK;

	for_each_sg(sg_next(sg), tmp, nelems - 1, i) {

		if (sg_dma_len(tmp) == 0)

			break;

		sg = tmp;

	}

	len = ALIGN(sg_dma_address(sg) + sg_dma_len(sg) - start,

	len = ALIGN(sg_dma_address(sg) + sg_dma_len(sg) - (start - offset),

		    FAST_PAGE_SIZE);



	av8l_fast_unmap_public(mapping->pgtbl_ops, start, len);