CVE-2024-56568

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommu/arm-smmu: Defer probe of clients after smmu device bound<br /> <br /> Null pointer dereference occurs due to a race between smmu<br /> driver probe and client driver probe, when of_dma_configure()<br /> for client is called after the iommu_device_register() for smmu driver<br /> probe has executed but before the driver_bound() for smmu driver<br /> has been called.<br /> <br /> Following is how the race occurs:<br /> <br /> T1:Smmu device probe T2: Client device probe<br /> <br /> really_probe()<br /> arm_smmu_device_probe()<br /> iommu_device_register()<br /> really_probe()<br /> platform_dma_configure()<br /> of_dma_configure()<br /> of_dma_configure_id()<br /> of_iommu_configure()<br /> iommu_probe_device()<br /> iommu_init_device()<br /> arm_smmu_probe_device()<br /> arm_smmu_get_by_fwnode()<br /> driver_find_device_by_fwnode()<br /> driver_find_device()<br /> next_device()<br /> klist_next()<br /> /* null ptr<br /> assigned to smmu */<br /> /* null ptr dereference<br /> while smmu-&gt;streamid_mask */<br /> driver_bound()<br /> klist_add_tail()<br /> <br /> When this null smmu pointer is dereferenced later in<br /> arm_smmu_probe_device, the device crashes.<br /> <br /> Fix this by deferring the probe of the client device<br /> until the smmu device has bound to the arm smmu driver.<br /> <br /> [will: Add comment]