iommu: fix KASAN use-after-free in iommu_insert_resv_region

In case the new region gets merged into another one, the nr list node is freed. Checking its type while completing the merge algorithm leads to a use-after-free. Use new->type instead. Fixes: 4dbd258 ("iommu: Revisit iommu_insert_resv_region() implementation") Signed-off-by: Eric Auger <[email protected]> Reported-by: Qian Cai <[email protected]> Reviewed-by: Jerry Snitselaar <[email protected]> Cc: Stable <[email protected]> #v5.3+ Signed-off-by: Linus Torvalds <[email protected]>
laijs · Dec 16, 2019 · 4c80ba3 · 4c80ba3
1 parent 7de7de7
commit 4c80ba3
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
@@ -312,8 +312,8 @@ int iommu_insert_resv_region(struct iommu_resv_region *new,
 	list_for_each_entry_safe(iter, tmp, regions, list) {
 		phys_addr_t top_end, iter_end = iter->start + iter->length - 1;
 
-		/* no merge needed on elements of different types than @nr */
-		if (iter->type != nr->type) {
+		/* no merge needed on elements of different types than @new */
+		if (iter->type != new->type) {
 			list_move_tail(&iter->list, &stack);
 			continue;
 		}