| Message ID | 20220327053558.2821-1-xiam0nd.tong@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | iommu: fix an incorrect NULL check on list iterator | expand |
On Sun, Mar 27, 2022 at 01:35:58PM +0800, Xiaomeng Tong wrote: > @@ -617,23 +617,17 @@ static int qcom_iommu_of_xlate(struct device *dev, > { > struct msm_iommu_dev *iommu; > unsigned long flags; > - int ret = 0; > > spin_lock_irqsave(&msm_iommu_lock, flags); > list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) > - if (iommu->dev->of_node == spec->np) > - break; > - > - if (!iommu || iommu->dev->of_node != spec->np) { > - ret = -ENODEV; > - goto fail; > - } > - > - insert_iommu_master(dev, &iommu, spec); > -fail: > + if (iommu->dev->of_node == spec->np) { > + insert_iommu_master(dev, &iommu, spec); > + spin_unlock_irqrestore(&msm_iommu_lock, flags); > + return 0; > + } > spin_unlock_irqrestore(&msm_iommu_lock, flags); > > - return ret; > + return -ENODEV; This looks a bit clumsy, a better fix is below: diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c index 50f57624610f..98d23c52537b 100644 --- a/drivers/iommu/msm_iommu.c +++ b/drivers/iommu/msm_iommu.c @@ -610,14 +610,16 @@ static void insert_iommu_master(struct device *dev, static int qcom_iommu_of_xlate(struct device *dev, struct of_phandle_args *spec) { - struct msm_iommu_dev *iommu; + struct msm_iommu_dev *iommu = NULL, *it; unsigned long flags; int ret = 0; spin_lock_irqsave(&msm_iommu_lock, flags); - list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) - if (iommu->dev->of_node == spec->np) + list_for_each_entry(it, &qcom_iommu_devices, dev_node) + if (it->dev->of_node == spec->np) { + iommu = it; break; + } if (!iommu || iommu->dev->of_node != spec->np) { ret = -ENODEV; Can you please verify this and re-submit? Thanks, Joerg
diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c index 3a38352b603f..1dbb8b0695ec 100644 --- a/drivers/iommu/msm_iommu.c +++ b/drivers/iommu/msm_iommu.c @@ -617,23 +617,17 @@ static int qcom_iommu_of_xlate(struct device *dev, { struct msm_iommu_dev *iommu; unsigned long flags; - int ret = 0; spin_lock_irqsave(&msm_iommu_lock, flags); list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) - if (iommu->dev->of_node == spec->np) - break; - - if (!iommu || iommu->dev->of_node != spec->np) { - ret = -ENODEV; - goto fail; - } - - insert_iommu_master(dev, &iommu, spec); -fail: + if (iommu->dev->of_node == spec->np) { + insert_iommu_master(dev, &iommu, spec); + spin_unlock_irqrestore(&msm_iommu_lock, flags); + return 0; + } spin_unlock_irqrestore(&msm_iommu_lock, flags); - return ret; + return -ENODEV; } irqreturn_t msm_iommu_fault_handler(int irq, void *dev_id)
The bug is here: if (!iommu || iommu->dev->of_node != spec->np) { The list iterator value 'iommu' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element is found (in fact, it will point to a invalid structure object containing HEAD). To fix the bug, run insert_iommu_master(dev, &iommu, spec); unlock and return 0 when found, otherwise unlock and return -ENODEV. Cc: stable@vger.kernel.org Fixes: f78ebca8ff3d6 ("iommu/msm: Add support for generic master bindings") Signed-off-by: Xiaomeng Tong <xiam0nd.tong@gmail.com> --- drivers/iommu/msm_iommu.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-)