Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp161515pxj;
        Wed, 9 Jun 2021 19:53:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwiQDa9HCh6imBbDHqEKesDmg97DDuC82Vp0RJmA/7dve+BKdF0UVF85Ujc2+jGO/bOALqB
X-Received: by 2002:a17:907:92e:: with SMTP id au14mr2448353ejc.194.1623293595107;
        Wed, 09 Jun 2021 19:53:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623293595; cv=none;
        d=google.com; s=arc-20160816;
        b=Eq3FQlQHz5av4M+Cmg1dHadGg1T43sFTw7m4fO+g1dGD0WyRe4KZIWjRT1L9JwzTme
         PBsBJ4FzzCleig9Oh9zwH33Ne/zvEzvbva7Y9UjUJPIO39Ux/prBEymUqhzXLjdTcNFh
         vZyxmAOZp2NRi29oF0plTgAtgcTnq25COtOVedL4jg3F8GJU2GdM4xi7yh57zLwxn3uk
         Pa4+DvCFhze65aueXJ+Nf8FBOChSCEMOFzcvR7t/zJb+OW2W1orRGYXHim+Xoau/7b+y
         7IQMSqxiLLR5TJb1NVA6sfPuU3TInbda6/YhflliDehMZ5+YSqwC/DeaF9PtocxRy7/e
         BFWA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=IMdWAt6jVxWyOFqlA88Vpi5JDjIoGezrCwGREHKcDkM=;
        b=nq3kqGvPHGyiS+DY+7nj9f23KpZtZ9nFtI69sT0oFJh92+lsOb32kHyRM0NzfG1NPm
         rnqcSQIEH9IKtaBvVjpXH57gAqyyH7o372OcOZFymdL2yimqkqEHbUHW1sr/Q+vsF+7R
         foJoWZCG7MNDtoAEdzp2h/5aU8L3LDwjTiV2kRNR9HjBo6Vdxiz/E7MEXkyJiYteAO6F
         wQ2uoX+hvYOMpcAOqDYpEMmPnHKtMozTx+ZgB81HQjMHoQHKway9P6vAo7adCspWuOZ3
         gSmfypwBxHSBN+mD7APrqKHDb8ACMCGW66JF+XIB/1WgBWaycB5Fz0+rO2LW/ogbMkO2
         ZcKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=oi1XTPf4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i17si1037404edc.537.2021.06.09.19.52.51;
        Wed, 09 Jun 2021 19:53:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=oi1XTPf4;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229634AbhFJCwl (ORCPT <rfc822;lwx169@gmail.com> + 99 others);
        Wed, 9 Jun 2021 22:52:41 -0400
Received: from zg8tmty1ljiyny4xntqumjca.icoremail.net ([165.227.154.27]:45522
        "HELO zg8tmty1ljiyny4xntqumjca.icoremail.net" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with SMTP id S229557AbhFJCwl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 9 Jun 2021 22:52:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=fudan.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date:
        Message-Id; bh=IMdWAt6jVxWyOFqlA88Vpi5JDjIoGezrCwGREHKcDkM=; b=o
        i1XTPf4zLP+oWM5UTuqjZrwJPCstiHFQnzeVAkRejyxw0bULgBzjbR7ztiQPPy0c
        ts1reBUnWLhgFUD8449dNK5ygvclwnK28eTFZHA/hWHGvXR6e4bJhQtWrrFbQiH9
        ZYu1ylaBQlEszuJhA6JC08U/uY3Qv0fUxq8bpkA36g=
Received: from localhost.localdomain (unknown [10.162.161.90])
        by app2 (Coremail) with SMTP id XQUFCgC3vhbYfcFgf8ZUAw--.13830S3;
        Thu, 10 Jun 2021 10:50:01 +0800 (CST)
From:   Xiyu Yang <xiyuyang19@fudan.edu.cn>
To:     Will Deacon <will@kernel.org>, Robin Murphy <robin.murphy@arm.com>,
        Joerg Roedel <joro@8bytes.org>,
        Rob Clark <robdclark@chromium.org>,
        Jon Hunter <jonathanh@nvidia.com>,
        Krishna Reddy <vdumpa@nvidia.com>,
        Jordan Crouse <jordan@cosmicpenguin.net>,
        Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>,
        linux-arm-kernel@lists.infradead.org,
        iommu@lists.linux-foundation.org, linux-kernel@vger.kernel.org
Cc:     yuanxzhang@fudan.edu.cn, Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>
Subject: [PATCH v2] iommu/arm-smmu: Fix arm_smmu_device refcount leak in address translation
Date:   Thu, 10 Jun 2021 10:49:20 +0800
Message-Id: <1623293391-17261-1-git-send-email-xiyuyang19@fudan.edu.cn>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: XQUFCgC3vhbYfcFgf8ZUAw--.13830S3
X-Coremail-Antispam: 1UD129KBjvJXoW7KF43JF1fKw13Ar1fKF13XFb_yoW8Cr1Upa
        1xWr9YyF1rX3WUJFyUJ3yvvFn0vayxAFyUKFW7Gas5Cw15trZ5Kw1rKFyagF1kCry8Cw43
        Zr12qFW5uF4UAFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUU9G14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26rxl
        6s0DM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s
        0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI
        64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8Jw
        Am72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAG
        YxC7M4IIrI8v6xkF7I0E8cxan2IY04v7MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCFx2
        IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v2
        6r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67
        AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IY
        s7xG6rW3Jr0E3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxV
        W8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbHa0DUUUUU==
X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The reference counting issue happens in several exception handling paths
of arm_smmu_iova_to_phys_hard(). When those error scenarios occur, the
function forgets to decrease the refcount of "smmu" increased by
arm_smmu_rpm_get(), causing a refcount leak.

Fix this issue by jumping to "out" label when those error scenarios
occur.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/iommu/arm/arm-smmu/arm-smmu.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu.c b/drivers/iommu/arm/arm-smmu/arm-smmu.c
index 6f72c4d208ca..3a3847277320 100644
--- a/drivers/iommu/arm/arm-smmu/arm-smmu.c
+++ b/drivers/iommu/arm/arm-smmu/arm-smmu.c
@@ -1271,6 +1271,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
 	u64 phys;
 	unsigned long va, flags;
 	int ret, idx = cfg->cbndx;
+	phys_addr_t addr = 0;
 
 	ret = arm_smmu_rpm_get(smmu);
 	if (ret < 0)
@@ -1290,6 +1291,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
 		dev_err(dev,
 			"iova to phys timed out on %pad. Falling back to software table walk.\n",
 			&iova);
+		arm_smmu_rpm_put(smmu);
 		return ops->iova_to_phys(ops, iova);
 	}
 
@@ -1298,12 +1300,14 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
 	if (phys & ARM_SMMU_CB_PAR_F) {
 		dev_err(dev, "translation fault!\n");
 		dev_err(dev, "PAR = 0x%llx\n", phys);
-		return 0;
+		goto out;
 	}
 
+	addr = (phys & GENMASK_ULL(39, 12)) | (iova & 0xfff);
+out:
 	arm_smmu_rpm_put(smmu);
 
-	return (phys & GENMASK_ULL(39, 12)) | (iova & 0xfff);
+	return addr;
 }
 
 static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
-- 
2.7.4