In swiotlb_tbl_free_tlb(), when the tlb range is out of the scope of the tlb slot pool, return directly with a warning message. Otherwise, kernel data might be blindly changed.
Cc: Konrad Rzeszutek Wilk <konrad.w...@oracle.com> Cc: Christoph Hellwig <h...@lst.de> Cc: Marek Szyprowski <m.szyprow...@samsung.com> Cc: Robin Murphy <robin.mur...@arm.com> Signed-off-by: Lu Baolu <baolu...@linux.intel.com> --- kernel/dma/swiotlb.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kernel/dma/swiotlb.c b/kernel/dma/swiotlb.c index 173122d16b7f..dbb937ce79c8 100644 --- a/kernel/dma/swiotlb.c +++ b/kernel/dma/swiotlb.c @@ -560,6 +560,12 @@ swiotlb_tbl_free_tlb(struct device *hwdev, phys_addr_t tlb_addr, size_t size) int i, count, nslots = ALIGN(size, 1 << IO_TLB_SHIFT) >> IO_TLB_SHIFT; int index = (tlb_addr - io_tlb_start) >> IO_TLB_SHIFT; + /* Return directly if the tlb address is out of slot pool. */ + if (tlb_addr < io_tlb_start || tlb_addr + size > io_tlb_end) { + dev_warn(hwdev, "invalid tlb address\n"); + return; + } + /* * Return the buffer to the free list by setting the corresponding * entries to indicate the number of contiguous entries available. -- 2.17.1 _______________________________________________ iommu mailing list iommu@lists.linux-foundation.org https://lists.linuxfoundation.org/mailman/listinfo/iommu