[PATCH v5 15/21] iommu/tegra: gart: Fix NULL pointer dereference

From: Dmitry Osipenko
Date: Sun Sep 30 2018 - 18:49:52 EST


Fix NULL pointer dereference on IOMMU domain destruction that happens
because clients list is being iterated unsafely and its elements are
getting deleted during the iteration.

Signed-off-by: Dmitry Osipenko <digetx@xxxxxxxxx>
Acked-by: Thierry Reding <treding@xxxxxxxxxx>
---
drivers/iommu/tegra-gart.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/tegra-gart.c b/drivers/iommu/tegra-gart.c
index e6fe139576c3..1d45b023adea 100644
--- a/drivers/iommu/tegra-gart.c
+++ b/drivers/iommu/tegra-gart.c
@@ -258,9 +258,9 @@ static void gart_iommu_domain_free(struct iommu_domain *domain)
if (gart) {
spin_lock(&gart->client_lock);
if (!list_empty(&gart->client)) {
- struct gart_client *c;
+ struct gart_client *c, *tmp;

- list_for_each_entry(c, &gart->client, list)
+ list_for_each_entry_safe(c, tmp, &gart->client, list)
__gart_iommu_detach_dev(domain, c->dev);
}
spin_unlock(&gart->client_lock);
--
2.19.0