On Tue, 13 Feb 2024 at 08:27, Pratyush Brahma <quic_pbrahma@xxxxxxxxxxx> wrote: > > Currently, during arm smmu probe, struct arm_smmu_device pointer > is allocated. The pointer is reallocated to a new struct qcom_smmu in > qcom_smmu_create() with devm_krealloc() which frees the smmu device > after copying the data into the new pointer. > > The freed pointer is then passed again in devm_of_platform_populate() > inside qcom_smmu_create() which causes a use-after-free issue. > > Fix the use-after-free issue by reassigning the old pointer to > the new pointer where the struct was copied by devm_krealloc(). > > Signed-off-by: Pratyush Brahma <quic_pbrahma@xxxxxxxxxxx> Missing Fixes tag. > --- > drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c > index ed5ed5da7740..49eaeed6a91c 100644 > --- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c > +++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c > @@ -710,6 +710,7 @@ static struct arm_smmu_device *qcom_smmu_create(struct arm_smmu_device *smmu, > qsmmu = devm_krealloc(smmu->dev, smmu, sizeof(*qsmmu), GFP_KERNEL); > if (!qsmmu) > return ERR_PTR(-ENOMEM); > + smmu = &qsmmu->smmu; > > qsmmu->smmu.impl = impl; > qsmmu->data = data; > @@ -719,7 +720,7 @@ static struct arm_smmu_device *qcom_smmu_create(struct arm_smmu_device *smmu, > if (ret) > return ERR_PTR(ret); What is the tree that you have been developing this against? I don't see this part of the code in the linux-next. > > - return &qsmmu->smmu; > + return smmu; > } > > /* Implementation Defined Register Space 0 register offsets */ > -- > 2.17.1 > > -- With best wishes Dmitry
