Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad33dcba authored by Prakash Gupta's avatar Prakash Gupta
Browse files

iommu: iommu-debug: fix null-ptr-deref in atos write 



iommu_debug_atos_write checks for invalid phys address before atos write.
If done without domain attach this can result in null-ptr-deref.

example call trace:

iommu_iova_to_phys+0x10
iommu_debug_atos_write+0x74
__vfs_write+0x60
vfs_write+0xe4
ksys_write+0x78
__arm64_sys_write+0x1c
el0_svc_common+0xbc
el0_svc_handler+0x68
el0_svc+0x8

Fix this by checking for valid domain attached.

Change-Id: Ib35ae624ed5a9d18c4772697df73887dba8b4bb6
Signed-off-by: default avatarPrakash Gupta <guptap@codeaurora.org>
parent 82579861

drivers/iommu/iommu-debug.c

+6 −1
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0-only

/*

 * Copyright (c) 2015-2020, The Linux Foundation. All rights reserved.

 * Copyright (c) 2015-2021, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1546,6 +1546,11 @@ static ssize_t iommu_debug_atos_write(struct file *file, 
		return -EINVAL;

	}



	if (!ddev->domain) {

		pr_err_ratelimited("No domain. Did you already attach?\n");

		return -EINVAL;

	}



	phys = iommu_iova_to_phys(ddev->domain, iova);

	pfn = __phys_to_pfn(phys);

	if (!pfn_valid(pfn)) {