iommu/tegra: smmu: Nullify stale pointer

The map* in smmu_map_prop points to the dma_iommu_mapping
which was destroyed. It may be possible that a client which registers
to this swgroup will be using the stale pointer and not create one
new dma_iommu_mapping * if this pointer is not set NULL.
Fix it by setting it NULL just before domain is destroyed.

Bug 200031739

Change-Id: I05ac3456074d6bbfe11cbc766e47de257d0e0ae5
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/552080
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Hiroshi Doyu <hdoyu@nvidia.com>

diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c
index fc3adf7c88ef2d0b3442563a8b80d66562a19fe0..bdc03b19a3202b1922c69ce6132b498116cb23cd 100644 (file)
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -1756,11 +1756,20 @@ static void smmu_iommu_domain_destroy(struct iommu_domain *domain)
        struct smmu_as *as = domain_to_as(domain, -1);
        struct smmu_device *smmu;
        unsigned long flags;
+       struct smmu_map_prop *prop;
 
        if (!as)
                return;
        smmu = as->smmu;
 
+       /* find the smmu_map_prop containing this domain */
+       list_for_each_entry(prop, &smmu_handle->asprops, list) {
+               if (prop->map->domain == domain)
+                       goto found;
+       }
+
+       prop = NULL;
+found:
        spin_lock_irqsave(&as->lock, flags);
 
        debugfs_remove_recursive(as->debugfs_root);
@@ -1789,6 +1798,8 @@ static void smmu_iommu_domain_destroy(struct iommu_domain *domain)
 
        devm_kfree(smmu->dev, domain->priv);
        domain->priv = NULL;
+       if (prop)
+               prop->map = NULL;
        dev_dbg(smmu->dev, "smmu_as@%p\n", as);
 }