Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 656801a8 authored by Arun KS's avatar Arun KS
Browse files

iommu: arm-smmu: Fix use after free of pgtbl_ops 



During hibernation restore, new pgtbl_ops was allocated
but not assigned to smmu_domian structure. Hence in the
subsequent freeze call uses outdated pointer and cause
a use after free. Fix it by assigning the newly allocated
pgtbl_ops to smmu_domain.

Change-Id: I8200f5a105c1d78239d0aade357007d27cd8b20e
Signed-off-by: default avatarArun KS <arunks@codeaurora.org>
parent b62aaff3

drivers/iommu/arm-smmu.c

+5 −2
Original line number Diff line number Diff line
@@ -5149,6 +5149,7 @@ static int __maybe_unused arm_smmu_pm_restore_early(struct device *dev) 
{

	struct arm_smmu_device *smmu = dev_get_drvdata(dev);

	struct arm_smmu_domain *smmu_domain;

	struct io_pgtable_ops *pgtbl_ops;

	struct arm_smmu_cb *cb;

	int idx;
@@ -5162,13 +5163,15 @@ static int __maybe_unused arm_smmu_pm_restore_early(struct device *dev) 
		if (!arm_smmu_has_secure_vmid(smmu_domain))

			continue;



		if (!alloc_io_pgtable_ops(smmu_domain->pgtbl_fmt,

		pgtbl_ops = alloc_io_pgtable_ops(smmu_domain->pgtbl_fmt,

					  &smmu_domain->pgtbl_cfg,

					  smmu_domain)) {

					  smmu_domain);

		if (!pgtbl_ops) {

			dev_err(smmu->dev, "failed to allocate page tables during pm restore for cxt %d\n",

				idx, dev_name(dev));

			return -ENOMEM;

		}

		smmu_domain->pgtbl_ops = pgtbl_ops;

		arm_smmu_secure_domain_lock(smmu_domain);

		arm_smmu_assign_table(smmu_domain);

		arm_smmu_secure_domain_unlock(smmu_domain);