From: Zhen Lei <thunder.leizhen@huawei.com>
Date: Thu, 12 Jul 2018 17:28:43 +0800
Subject: iommu/arm-smmu-v3: Prevent any devices access to memory without
 registration
Git-commit: a71792dee2a33d2e935d4b67dd63924f5ceb203d
Patch-mainline: v4.19-rc1
References: fate#326252

Stream bypass is a potential security hole since a malicious device can be
hotplugged in without matching any drivers, yet be granted the ability to
access all of physical memory.

Now that we attach devices to domains by default, we can toggle the
disable_bypass default to "on", preventing DMA from unknown devices.

Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Matthias Brugger <mbrugger@suse.com>
---
 drivers/iommu/arm-smmu-v3.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iommu/arm-smmu-v3.c
+++ b/drivers/iommu/arm-smmu-v3.c
@@ -422,7 +422,7 @@
 #define ACPI_IORT_SMMU_HISILICON_HI161X		0x1
 #endif
 
-static bool disable_bypass;
+static bool disable_bypass = 1;
 module_param_named(disable_bypass, disable_bypass, bool, S_IRUGO);
 MODULE_PARM_DESC(disable_bypass,
 	"Disable bypass streams such that incoming transactions from devices that are not attached to an iommu domain will report an abort back to the device and will not be allowed to pass through the SMMU.");