On Tue, Dec 10, 2024 at 12:42:16PM +0000, Robin Murphy wrote:
> From: Pratyush Brahma <quic_pbrahma@xxxxxxxxxxx>
>
> [ Upstream commit 229e6ee43d2a160a1592b83aad620d6027084aad ]
>
> Null pointer dereference occurs due to a race between smmu
> driver probe and client driver probe, when of_dma_configure()
> for client is called after the iommu_device_register() for smmu driver
> probe has executed but before the driver_bound() for smmu driver
> has been called.
>
> Following is how the race occurs:
>
> T1:Smmu device probe T2: Client device probe
>
> really_probe()
> arm_smmu_device_probe()
> iommu_device_register()
> really_probe()
> platform_dma_configure()
> of_dma_configure()
> of_dma_configure_id()
> of_iommu_configure()
> iommu_probe_device()
> iommu_init_device()
> arm_smmu_probe_device()
> arm_smmu_get_by_fwnode()
> driver_find_device_by_fwnode()
> driver_find_device()
> next_device()
> klist_next()
> /* null ptr
> assigned to smmu */
> /* null ptr dereference
> while smmu->streamid_mask */
> driver_bound()
> klist_add_tail()
>
> When this null smmu pointer is dereferenced later in
> arm_smmu_probe_device, the device crashes.
>
> Fix this by deferring the probe of the client device
> until the smmu device has bound to the arm smmu driver.
>
> Fixes: 021bb8420d44 ("iommu/arm-smmu: Wire up generic configuration support")
> Cc: stable@xxxxxxxxxxxxxxx # 6.6
> Co-developed-by: Prakash Gupta <quic_guptap@xxxxxxxxxxx>
> Signed-off-by: Prakash Gupta <quic_guptap@xxxxxxxxxxx>
> Signed-off-by: Pratyush Brahma <quic_pbrahma@xxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20241004090428.2035-1-quic_pbrahma@xxxxxxxxxxx
> [will: Add comment]
> Signed-off-by: Will Deacon <will@xxxxxxxxxx>
> [rm: backport for context conflict prior to 6.8]
> Signed-off-by: Robin Murphy <robin.murphy@xxxxxxx>
> ---
> drivers/iommu/arm/arm-smmu/arm-smmu.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
Now queued up, thanks.
greg k-h
