diff options
| author | Jan Niehusmann <jan@gondor.com> | 2016-06-06 14:20:11 +0200 |
|---|---|---|
| committer | Daniel Vetter <daniel.vetter@ffwll.ch> | 2016-06-08 16:54:49 +0200 |
| commit | 8b86400f445ee400cbd1b81e6c0d6c66c9076e68 (patch) | |
| tree | 905c9bd3d9272c0c7e6bc25d7633d6b307c7af83 | |
| parent | 46ad020cf7e398c3001bcfe45930003aa6fe62f0 (diff) | |
iommu/vt-d: fix overflow of iommu->domains array
The valid range of 'did' in get_iommu_domain(*iommu, did)
is 0..cap_ndoms(iommu->cap), so don't exceed that
range in free_all_cpu_cached_iovas().
The user-visible impact of the out-of-bounds access is the machine
hanging on suspend-to-ram. It is, in fact, a kernel panic, but due
to already suspended devices, that's often not visible to the user.
Fixes: 22e2f9fa63b0 ("iommu/vt-d: Use per-cpu IOVA caching")
Signed-off-by: Jan Niehusmann <jan@gondor.com>
Tested-By: Marius Vlad <marius.c.vlad@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160606122010.GA3048@x61s.reliablesolutions.de
| -rw-r--r-- | drivers/iommu/intel-iommu.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c index a644d0cec2d8..82989d4afa91 100644 --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -4600,7 +4600,7 @@ static void free_all_cpu_cached_iovas(unsigned int cpu) if (!iommu) continue; - for (did = 0; did < 0xffff; did++) { + for (did = 0; did < cap_ndoms(iommu->cap); did++) { domain = get_iommu_domain(iommu, did); if (!domain) |