--- /dev/null
+From 57d72e159b60456c8bb281736c02ddd3164037aa Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Date: Thu, 14 Dec 2017 11:03:01 +0000
+Subject: iommu/arm-smmu-v3: Don't free page table ops twice
+
+From: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+
+commit 57d72e159b60456c8bb281736c02ddd3164037aa upstream.
+
+Kasan reports a double free when finalise_stage_fn fails: the io_pgtable
+ops are freed by arm_smmu_domain_finalise and then again by
+arm_smmu_domain_free. Prevent this by leaving pgtbl_ops empty on failure.
+
+Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices")
+Reviewed-by: Robin Murphy <robin.murphy@arm.com>
+Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/arm-smmu-v3.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/arm-smmu-v3.c
++++ b/drivers/iommu/arm-smmu-v3.c
+@@ -1541,13 +1541,15 @@ static int arm_smmu_domain_finalise(stru
+ return -ENOMEM;
+
+ arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
+- smmu_domain->pgtbl_ops = pgtbl_ops;
+
+ ret = finalise_stage_fn(smmu_domain, &pgtbl_cfg);
+- if (IS_ERR_VALUE(ret))
++ if (IS_ERR_VALUE(ret)) {
+ free_io_pgtable_ops(pgtbl_ops);
++ return ret;
++ }
+
+- return ret;
++ smmu_domain->pgtbl_ops = pgtbl_ops;
++ return 0;
+ }
+
+ static struct arm_smmu_group *arm_smmu_group_get(struct device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
