In swiotlb_tbl_free_tlb(), when the tlb range is out of the scope of the tlb slot pool, return directly with a warning message. Otherwise, kernel data might be blindly changed.
Cc: Konrad Rzeszutek Wilk <[email protected]> Cc: Christoph Hellwig <[email protected]> Cc: Marek Szyprowski <[email protected]> Cc: Robin Murphy <[email protected]> Signed-off-by: Lu Baolu <[email protected]> --- kernel/dma/swiotlb.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index 173122d16b7f..dbb937ce79c8 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -560,6 +560,12 @@ swiotlb_tbl_free_tlb(struct device *hwdev, phys_addr_t tlb_addr, size_t size) int i, count, nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; int index = (tlb_addr - io_tlb_start) >> IO_TLB_SHIFT; + /* Return directly if the tlb address is out of slot pool. */ + if (tlb_addr < io_tlb_start || tlb_addr + size > io_tlb_end) { + dev_warn(hwdev, "invalid tlb address\n"); + return; + } + /* * Return the buffer to the free list by setting the corresponding * entries to indicate the number of contiguous entries available. -- 2.17.1 _______________________________________________ iommu mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/iommu
