iommu/vt-d: Fix overflow of iommu->domains array

The valid range of 'did' in get_iommu_domain(*iommu, did) is 0..cap_ndoms(iommu->cap), so don't exceed that range in free_all_cpu_cached_iovas(). The user-visible impact of the out-of-bounds access is the machine hanging on suspend-to-ram. It is, in fact, a kernel panic, but due to already suspended devices, that's often not visible to the user. Fixes: 22e2f9fa ("iommu/vt-d: Use per-cpu IOVA caching") Signed-off-by: N Jan Niehusmann <jan@gondor.com> Tested-By: N Marius Vlad <marius.c.vlad@intel.com> Signed-off-by: N Joerg Roedel <jroedel@suse.de>

iommu/vt-d: Fix overflow of iommu->domains array
The valid range of 'did' in get_iommu_domain(*iommu, did) is 0..cap_ndoms(iommu->cap), so don't exceed that range in free_all_cpu_cached_iovas(). The user-visible impact of the out-of-bounds access is the machine hanging on suspend-to-ram. It is, in fact, a kernel panic, but due to already suspended devices, that's often not visible to the user. Fixes: 22e2f9fa ("iommu/vt-d: Use per-cpu IOVA caching") Signed-off-by: N Jan Niehusmann <jan@gondor.com> Tested-By: N Marius Vlad <marius.c.vlad@intel.com> Signed-off-by: N Joerg Roedel <jroedel@suse.de>
3bd4f911 · Jan Niehusmann · Joerg Roedel · 583248e6 · 3bd4f911
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/iommu/intel-iommu.c drivers/iommu/intel-iommu.c +1 -1

未找到文件。
--- a/drivers/iommu/intel-iommu.c
+++ b/drivers/iommu/intel-iommu.c
@@ -4607,7 +4607,7 @@ static void free_all_cpu_cached_iovas(unsigned int cpu)
 		if (!iommu)
 			continue;
-		for (did = 0; did < 0xffff; did++) {
+		for (did = 0; did < cap_ndoms(iommu->cap); did++) {
 			domain = get_iommu_domain(iommu, did);
 			if (!domain)