iommu: Fix missing return check of arm_lpae_init_pte

UAF scenario may occur in clients with EL1 privileges for
iova mappings when we miss to check the return value of
arm_lpae_init_pte which may lead to an PTE be counted as
it was set even if it was already existing. This can cause a
dangling IOMMU PTE to be left mapped pointing to a
freed object and cause UAF in the client if the dangling PTE
is accessed after a failed unmap operation.

Fixes: 27de1978c331 ("ANDROID: GKI: iommu/io-pgtable-arm: LPAE related updates by vendor")
Change-Id: Ibb59d5c82e15a2faaae2b2fc8e280466ac3d3bd6
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
Provenance: https://git.codelinaro.org/clo/la/kernel/msm-4.19/-/commit/1e46e81dbeb69aafd5842ce779f07e617680fd58
Bug: 299649795

1 files changed, 5 insertions, 3 deletions

diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index a6fad3ab7315..e23e10dd8e4d 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -670,9 +670,11 @@ static int arm_lpae_map_sg(struct io_pgtable_ops *ops, unsigned long iova,
 				arm_lpae_iopte *ptep = ms.pgtable +
 					ARM_LPAE_LVL_IDX(iova, MAP_STATE_LVL,
 							 data);
-				arm_lpae_init_pte(
-					data, iova, phys, prot, MAP_STATE_LVL,
-					ptep, ms.prev_pgtable, false);
+				ret = arm_lpae_init_pte(data, iova, phys, prot,
+							MAP_STATE_LVL, ptep,
+							ms.prev_pgtable, false);
+				if (ret)
+					goto out_err;
 				ms.num_pte++;
 			} else {
 				ret = __arm_lpae_map(data, iova, phys, pgsize,