From: Greg Kroah-Hartman Date: Tue, 10 Dec 2024 13:39:08 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.6.65~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34c7c7150ebc5f1845107f01c30f3f868852b406;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch --- diff --git a/queue-5.10/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch b/queue-5.10/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch new file mode 100644 index 00000000000..162a42f3962 --- /dev/null +++ b/queue-5.10/iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch @@ -0,0 +1,83 @@ +From 229e6ee43d2a160a1592b83aad620d6027084aad Mon Sep 17 00:00:00 2001 +From: Pratyush Brahma +Date: Fri, 4 Oct 2024 14:34:28 +0530 +Subject: iommu/arm-smmu: Defer probe of clients after smmu device bound + +From: Pratyush Brahma + +commit 229e6ee43d2a160a1592b83aad620d6027084aad upstream. + +Null pointer dereference occurs due to a race between smmu +driver probe and client driver probe, when of_dma_configure() +for client is called after the iommu_device_register() for smmu driver +probe has executed but before the driver_bound() for smmu driver +has been called. + +Following is how the race occurs: + +T1:Smmu device probe T2: Client device probe + +really_probe() +arm_smmu_device_probe() +iommu_device_register() + really_probe() + platform_dma_configure() + of_dma_configure() + of_dma_configure_id() + of_iommu_configure() + iommu_probe_device() + iommu_init_device() + arm_smmu_probe_device() + arm_smmu_get_by_fwnode() + driver_find_device_by_fwnode() + driver_find_device() + next_device() + klist_next() + /* null ptr + assigned to smmu */ + /* null ptr dereference + while smmu->streamid_mask */ +driver_bound() + klist_add_tail() + +When this null smmu pointer is dereferenced later in +arm_smmu_probe_device, the device crashes. + +Fix this by deferring the probe of the client device +until the smmu device has bound to the arm smmu driver. + +Fixes: 021bb8420d44 ("iommu/arm-smmu: Wire up generic configuration support") +Cc: stable@vger.kernel.org +Co-developed-by: Prakash Gupta +Signed-off-by: Prakash Gupta +Signed-off-by: Pratyush Brahma +Link: https://lore.kernel.org/r/20241004090428.2035-1-quic_pbrahma@quicinc.com +[will: Add comment] +Signed-off-by: Will Deacon +[rm: backport for context conflict prior to 6.8] +Signed-off-by: Robin Murphy +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/arm/arm-smmu/arm-smmu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c ++++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c +@@ -1387,6 +1387,17 @@ static struct iommu_device *arm_smmu_pro + goto out_free; + } else if (fwspec && fwspec->ops == &arm_smmu_ops) { + smmu = arm_smmu_get_by_fwnode(fwspec->iommu_fwnode); ++ ++ /* ++ * Defer probe if the relevant SMMU instance hasn't finished ++ * probing yet. This is a fragile hack and we'd ideally ++ * avoid this race in the core code. Until that's ironed ++ * out, however, this is the most pragmatic option on the ++ * table. ++ */ ++ if (!smmu) ++ return ERR_PTR(dev_err_probe(dev, -EPROBE_DEFER, ++ "smmu dev has not bound yet\n")); + } else { + return ERR_PTR(-ENODEV); + } diff --git a/queue-5.10/series b/queue-5.10/series index 1fb7080c557..b479180a4a6 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -377,3 +377,4 @@ regmap-detach-regmap-from-dev-on-regmap_exit.patch mmc-sdhci-pci-add-dmi-quirk-for-missing-cd-gpio-on-vexia-edu-atla-10-tablet.patch mmc-core-further-prevent-card-detect-during-shutdown.patch ocfs2-update-seq_file-index-in-ocfs2_dlm_seq_next.patch +iommu-arm-smmu-defer-probe-of-clients-after-smmu-device-bound.patch