From 34701923eb2c42f1e01a8d54c4521a54721c1169 Mon Sep 17 00:00:00 2001 From: Prakash Gupta Date: Wed, 4 Oct 2017 12:37:11 +0530 Subject: [PATCH] iommu: fix smmu_secure_pool access list after free issue secure_pool_list is initialized during domain alloc and freed with domain free. commit e6a18bb617e4 ("iommu: free io pgtable during domain detach.") frees the secure_pool_list as part of iommu detach sequence, and uses the same list head as part of iommu attach. This uncovers an existing bug where list was not being deleted from secure_pool_list and associated memory was being freed. This resulted in invalid secure_pool_list head pointing to a location already freed and resulted in kernel BUG of access after free during iommu attach. Call Trace: arm_smmu_alloc_pages_exact+0x60/0x110 io_pgtable_alloc_pages_exact+0x48/0xb0 __arm_lpae_alloc_pages+0x48/0x1c0 arm_64_lpae_alloc_pgtable_s1+0x100/0x15c alloc_io_pgtable_ops+0x54/0x88 arm_smmu_attach_dev+0x8cc/0x1144 __iommu_attach_device+0x3c/0xf4 [...] Change-Id: I7d1b49030986da7f5d05b7e6cb9dc09079f20a41 Signed-off-by: Prakash Gupta --- drivers/iommu/arm-smmu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c index 62230d30d101..6317478916ef 100644 --- a/drivers/iommu/arm-smmu.c +++ b/drivers/iommu/arm-smmu.c @@ -1243,6 +1243,7 @@ static void arm_smmu_secure_pool_destroy(struct arm_smmu_domain *smmu_domain) list_for_each_entry_safe(it, i, &smmu_domain->secure_pool_list, list) { arm_smmu_unprepare_pgtable(smmu_domain, it->addr, it->size); /* pages will be freed later (after being unassigned) */ + list_del(&it->list); kfree(it); } }