From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 16:02:49 +0000 (+0100) Subject: 6.6-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d728aeb932666264d12c9c23734eb017223f038;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: iommu-mediatek-fix-use-after-free-on-probe-deferral.patch --- diff --git a/queue-6.6/iommu-mediatek-fix-use-after-free-on-probe-deferral.patch b/queue-6.6/iommu-mediatek-fix-use-after-free-on-probe-deferral.patch new file mode 100644 index 0000000000..f5fdc46d3b --- /dev/null +++ b/queue-6.6/iommu-mediatek-fix-use-after-free-on-probe-deferral.patch @@ -0,0 +1,91 @@ +From de83d4617f9fe059623e97acf7e1e10d209625b5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 20 Oct 2025 06:53:10 +0200 +Subject: iommu/mediatek: fix use-after-free on probe deferral + +From: Johan Hovold + +commit de83d4617f9fe059623e97acf7e1e10d209625b5 upstream. + +The driver is dropping the references taken to the larb devices during +probe after successful lookup as well as on errors. This can +potentially lead to a use-after-free in case a larb device has not yet +been bound to its driver so that the iommu driver probe defers. + +Fix this by keeping the references as expected while the iommu driver is +bound. + +Fixes: 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse") +Cc: stable@vger.kernel.org +Cc: Yong Wu +Acked-by: Robin Murphy +Signed-off-by: Johan Hovold +Reviewed-by: Yong Wu +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/mtk_iommu.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -1196,16 +1196,19 @@ static int mtk_iommu_mm_dts_parse(struct + } + + component_match_add(dev, match, component_compare_dev, &plarbdev->dev); +- platform_device_put(plarbdev); + } + +- if (!frst_avail_smicomm_node) +- return -EINVAL; ++ if (!frst_avail_smicomm_node) { ++ ret = -EINVAL; ++ goto err_larbdev_put; ++ } + + pcommdev = of_find_device_by_node(frst_avail_smicomm_node); + of_node_put(frst_avail_smicomm_node); +- if (!pcommdev) +- return -ENODEV; ++ if (!pcommdev) { ++ ret = -ENODEV; ++ goto err_larbdev_put; ++ } + data->smicomm_dev = &pcommdev->dev; + + link = device_link_add(data->smicomm_dev, dev, +@@ -1213,7 +1216,8 @@ static int mtk_iommu_mm_dts_parse(struct + platform_device_put(pcommdev); + if (!link) { + dev_err(dev, "Unable to link %s.\n", dev_name(data->smicomm_dev)); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_larbdev_put; + } + return 0; + +@@ -1385,8 +1389,12 @@ out_sysfs_remove: + iommu_device_sysfs_remove(&data->iommu); + out_list_del: + list_del(&data->list); +- if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) ++ if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { + device_link_remove(data->smicomm_dev, dev); ++ ++ for (i = 0; i < MTK_LARB_NR_MAX; i++) ++ put_device(data->larb_imu[i].dev); ++ } + out_runtime_disable: + pm_runtime_disable(dev); + return ret; +@@ -1406,6 +1414,9 @@ static void mtk_iommu_remove(struct plat + if (MTK_IOMMU_IS_TYPE(data->plat_data, MTK_IOMMU_TYPE_MM)) { + device_link_remove(data->smicomm_dev, &pdev->dev); + component_master_del(&pdev->dev, &mtk_iommu_com_ops); ++ ++ for (i = 0; i < MTK_LARB_NR_MAX; i++) ++ put_device(data->larb_imu[i].dev); + } + pm_runtime_disable(&pdev->dev); + for (i = 0; i < data->plat_data->banks_num; i++) { diff --git a/queue-6.6/series b/queue-6.6/series index 6ef1fb4bbc..39d45741bb 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -497,3 +497,4 @@ hwmon-max16065-use-local-variable-to-avoid-toctou.patch hwmon-w83791d-convert-macros-to-functions-to-avoid-toctou.patch hwmon-w83l786ng-convert-macros-to-functions-to-avoid-toctou.patch arm-dts-microchip-sama5d2-fix-spi-flexcom-fifo-size-to-32.patch +iommu-mediatek-fix-use-after-free-on-probe-deferral.patch