The bug is here: if (!iommu || iommu->dev->of_node != spec->np) {
The list iterator value 'iommu' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element is found (in fact, it will point to a invalid structure object containing HEAD).
To fix the bug, run insert_iommu_master(dev, &iommu, spec); unlock and return 0 when found, otherwise unlock and return -ENODEV.
Cc: stable@vger.kernel.org Fixes: f78ebca8ff3d6 ("iommu/msm: Add support for generic master bindings") Signed-off-by: Xiaomeng Tong xiam0nd.tong@gmail.com --- drivers/iommu/msm_iommu.c | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-)
diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c index 3a38352b603f..1dbb8b0695ec 100644 --- a/drivers/iommu/msm_iommu.c +++ b/drivers/iommu/msm_iommu.c @@ -617,23 +617,17 @@ static int qcom_iommu_of_xlate(struct device *dev, { struct msm_iommu_dev *iommu; unsigned long flags; - int ret = 0;
spin_lock_irqsave(&msm_iommu_lock, flags); list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) - if (iommu->dev->of_node == spec->np) - break; - - if (!iommu || iommu->dev->of_node != spec->np) { - ret = -ENODEV; - goto fail; - } - - insert_iommu_master(dev, &iommu, spec); -fail: + if (iommu->dev->of_node == spec->np) { + insert_iommu_master(dev, &iommu, spec); + spin_unlock_irqrestore(&msm_iommu_lock, flags); + return 0; + } spin_unlock_irqrestore(&msm_iommu_lock, flags);
- return ret; + return -ENODEV; }
irqreturn_t msm_iommu_fault_handler(int irq, void *dev_id)
On Sun, Mar 27, 2022 at 01:35:58PM +0800, Xiaomeng Tong wrote:
@@ -617,23 +617,17 @@ static int qcom_iommu_of_xlate(struct device *dev, { struct msm_iommu_dev *iommu; unsigned long flags;
- int ret = 0;
spin_lock_irqsave(&msm_iommu_lock, flags); list_for_each_entry(iommu, &qcom_iommu_devices, dev_node)
if (iommu->dev->of_node == spec->np)break;- if (!iommu || iommu->dev->of_node != spec->np) {
ret = -ENODEV;goto fail;- }
- insert_iommu_master(dev, &iommu, spec);
-fail:
if (iommu->dev->of_node == spec->np) {insert_iommu_master(dev, &iommu, spec);spin_unlock_irqrestore(&msm_iommu_lock, flags);return 0;}
- return ret;
- return -ENODEV;
This looks a bit clumsy, a better fix is below:
diff --git a/drivers/iommu/msm_iommu.c b/drivers/iommu/msm_iommu.c index 50f57624610f..98d23c52537b 100644 --- a/drivers/iommu/msm_iommu.c +++ b/drivers/iommu/msm_iommu.c @@ -610,14 +610,16 @@ static void insert_iommu_master(struct device *dev, static int qcom_iommu_of_xlate(struct device *dev, struct of_phandle_args *spec) { - struct msm_iommu_dev *iommu; + struct msm_iommu_dev *iommu = NULL, *it; unsigned long flags; int ret = 0;
spin_lock_irqsave(&msm_iommu_lock, flags); - list_for_each_entry(iommu, &qcom_iommu_devices, dev_node) - if (iommu->dev->of_node == spec->np) + list_for_each_entry(it, &qcom_iommu_devices, dev_node) + if (it->dev->of_node == spec->np) { + iommu = it; break; + }
if (!iommu || iommu->dev->of_node != spec->np) { ret = -ENODEV;
Can you please verify this and re-submit?
Thanks,
Joerg
linux-stable-mirror@lists.linaro.org
-
Joerg Roedel -
Xiaomeng Tong