From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
To: Pratyush Brahma <quic_pbrahma@quicinc.com>,
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Cc: quic_c_gdjako@quicinc.com, andersson@kernel.org,
conor+dt@kernel.org, devicetree@vger.kernel.org,
djakov@kernel.org, iommu@lists.linux.dev, joro@8bytes.org,
konrad.dybcio@linaro.org, krzysztof.kozlowski+dt@linaro.org,
linux-arm-kernel@lists.infradead.org,
linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
quic_cgoldswo@quicinc.com, quic_pdaly@quicinc.com,
quic_sudaraja@quicinc.com, quic_sukadev@quicinc.com,
robdclark@gmail.com, robh+dt@kernel.org, robin.murphy@arm.com,
will@kernel.org
Subject: Re: [PATCH 1/1] iommu/arm-smmu-qcom: Fix use-after-free issue in qcom_smmu_create()
Date: Thu, 29 Feb 2024 18:57:11 +0100 [thread overview]
Message-ID: <6eb17b85-1b38-401d-84b6-4e995482d86f@linaro.org> (raw)
In-Reply-To: <ccb6b2a2-040b-46cc-9b72-2e4bd4c75565@quicinc.com>
On 13/02/2024 09:17, Pratyush Brahma wrote:
>
> On 2/13/2024 1:36 PM, Dmitry Baryshkov wrote:
>> On Tue, 13 Feb 2024 at 08:27, Pratyush Brahma <quic_pbrahma@quicinc.com> wrote:
>>> Currently, during arm smmu probe, struct arm_smmu_device pointer
>>> is allocated. The pointer is reallocated to a new struct qcom_smmu in
>>> qcom_smmu_create() with devm_krealloc() which frees the smmu device
>>> after copying the data into the new pointer.
>>>
>>> The freed pointer is then passed again in devm_of_platform_populate()
>>> inside qcom_smmu_create() which causes a use-after-free issue.
>>>
>>> Fix the use-after-free issue by reassigning the old pointer to
>>> the new pointer where the struct was copied by devm_krealloc().
>>>
>>> Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
>> Missing Fixes tag.
> Haven't added as the patchset in-reply-to hasn't been merged to
> linux-next. Please refer my next reply.
Why do you send patches for work being reviewed? Just perform the
review. It looks like you deliberately want to apply bad code just to
fix it a second later!
Best regards,
Krzysztof
next prev parent reply other threads:[~2024-02-29 17:57 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-01 21:05 [PATCH v4 00/10] Add support for Translation Buffer Units Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 01/10] dt-bindings: iommu: Add Translation Buffer Unit bindings Georgi Djakov
2024-02-02 21:17 ` Rob Herring
2024-02-12 19:12 ` Robin Murphy
2024-02-29 18:01 ` Krzysztof Kozlowski
2024-02-12 20:25 ` Robin Murphy
2024-02-01 21:05 ` [PATCH v4 02/10] dt-bindings: iommu: Add Qualcomm TBU bindings Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 03/10] iommu/arm-smmu-qcom: Add support for TBUs Georgi Djakov
2024-02-12 17:29 ` Pratyush Brahma
2024-02-13 6:26 ` [PATCH 1/1] iommu/arm-smmu-qcom: Fix use-after-free issue in qcom_smmu_create() Pratyush Brahma
2024-02-13 8:06 ` Dmitry Baryshkov
2024-02-13 8:17 ` Pratyush Brahma
2024-02-13 11:36 ` Robin Murphy
2024-02-29 17:57 ` Krzysztof Kozlowski [this message]
2024-02-01 21:05 ` [PATCH v4 04/10] iommu/arm-smmu-qcom-tbu: Add Qualcomm TBU driver Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 05/10] iommu/arm-smmu: Allow using a threaded handler for context interrupts Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 06/10] iommu/arm-smmu-qcom: Use a custom context fault handler for sdm845 Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 07/10] arm64: dts: qcom: sdm845: Add DT nodes for the TBUs Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 08/10] dt-bindings: arm-smmu: Add TBU support for sc7280 Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 09/10] iommu/arm-smmu-qcom: Use the custom fault handler on more platforms Georgi Djakov
2024-02-01 21:05 ` [PATCH v4 10/10] arm64: dts: qcom: sc7280: Add DT nodes for the TBUs Georgi Djakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6eb17b85-1b38-401d-84b6-4e995482d86f@linaro.org \
--to=krzysztof.kozlowski@linaro.org \
--cc=andersson@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=djakov@kernel.org \
--cc=dmitry.baryshkov@linaro.org \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=konrad.dybcio@linaro.org \
--cc=krzysztof.kozlowski+dt@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=quic_c_gdjako@quicinc.com \
--cc=quic_cgoldswo@quicinc.com \
--cc=quic_pbrahma@quicinc.com \
--cc=quic_pdaly@quicinc.com \
--cc=quic_sudaraja@quicinc.com \
--cc=quic_sukadev@quicinc.com \
--cc=robdclark@gmail.com \
--cc=robh+dt@kernel.org \
--cc=robin.murphy@arm.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox