linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] iommu: check if group is NULL before remove device
@ 2021-07-15  7:11 Frank Wunderlich
  2021-07-15  7:20 ` Joerg Roedel
  0 siblings, 1 reply; 5+ messages in thread
From: Frank Wunderlich @ 2021-07-15  7:11 UTC (permalink / raw)
  To: iommu; +Cc: Frank Wunderlich, Joerg Roedel, Will Deacon, linux-kernel, yong.wu

From: Frank Wunderlich <frank-w@public-files.de>

if probe is failing, iommu_group may be not initialized,
so freeing it will result in NULL pointer access

Fixes: d72e31c93746 ("iommu: IOMMU Groups")
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
---
 drivers/iommu/iommu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 5419c4b9f27a..63f0af10c403 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -924,6 +924,9 @@ void iommu_group_remove_device(struct device *dev)
 	struct iommu_group *group = dev->iommu_group;
 	struct group_device *tmp_device, *device = NULL;
 
+	if (!group)
+		return;
+
 	dev_info(dev, "Removing from iommu group %d\n", group->id);
 
 	/* Pre-notify listeners that a device is being removed. */
-- 
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iommu: check if group is NULL before remove device
  2021-07-15  7:11 [PATCH] iommu: check if group is NULL before remove device Frank Wunderlich
@ 2021-07-15  7:20 ` Joerg Roedel
  2021-07-28 10:35   ` Frank Wunderlich
  2021-07-30 13:18   ` Frank Wunderlich (linux)
  0 siblings, 2 replies; 5+ messages in thread
From: Joerg Roedel @ 2021-07-15  7:20 UTC (permalink / raw)
  To: Frank Wunderlich
  Cc: iommu, Frank Wunderlich, Will Deacon, linux-kernel, yong.wu

On Thu, Jul 15, 2021 at 09:11:50AM +0200, Frank Wunderlich wrote:
> From: Frank Wunderlich <frank-w@public-files.de>
> 
> if probe is failing, iommu_group may be not initialized,

Sentences start with capital letters.

IOMMU patch subjects too, after the 'iommu:' prefix.

> so freeing it will result in NULL pointer access

Please describe in more detail how this NULL-ptr dereference is
triggered.

Regards,

	Joerg

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iommu: check if group is NULL before remove device
  2021-07-15  7:20 ` Joerg Roedel
@ 2021-07-28 10:35   ` Frank Wunderlich
  2021-07-30 13:18   ` Frank Wunderlich (linux)
  1 sibling, 0 replies; 5+ messages in thread
From: Frank Wunderlich @ 2021-07-28 10:35 UTC (permalink / raw)
  To: Joerg Roedel; +Cc: iommu, Frank Wunderlich, Will Deacon, linux-kernel, yong.wu

Hi Joerg,

Sorry for late reply, somehow i marked message as read without answering it.

Am 15. Juli 2021 09:20:04 MESZ schrieb Joerg Roedel <joro@8bytes.org>:
>On Thu, Jul 15, 2021 at 09:11:50AM +0200, Frank Wunderlich wrote:
>> From: Frank Wunderlich <frank-w@public-files.de>
>> 
>> if probe is failing, iommu_group may be not initialized,
>
>Sentences start with capital letters.
>
>IOMMU patch subjects too, after the 'iommu:' prefix.

Will fix these in v2

>> so freeing it will result in NULL pointer access
>
>Please describe in more detail how this NULL-ptr dereference is
>triggered.

I had this by testing this series: 
https://patchwork.kernel.org/project/linux-mediatek/list/?series=515129

Initialization in mtk driver was failed (i guess the iommu group was not yet created), cleanup was started and so this function is called with a NULL group pointer. I can try to find my debug-trace if you need a kind of backtrace.

regards Frank

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] iommu: check if group is NULL before remove device
  2021-07-15  7:20 ` Joerg Roedel
  2021-07-28 10:35   ` Frank Wunderlich
@ 2021-07-30 13:18   ` Frank Wunderlich (linux)
  1 sibling, 0 replies; 5+ messages in thread
From: Frank Wunderlich (linux) @ 2021-07-30 13:18 UTC (permalink / raw)
  To: Joerg Roedel; +Cc: iommu, Frank Wunderlich, Will Deacon, linux-kernel, yong.wu

Am 2021-07-15 09:20, schrieb Joerg Roedel:
> On Thu, Jul 15, 2021 at 09:11:50AM +0200, Frank Wunderlich wrote:
>> From: Frank Wunderlich <frank-w@public-files.de>
>> 
>> if probe is failing, iommu_group may be not initialized,
> 
> Sentences start with capital letters.
> 
> IOMMU patch subjects too, after the 'iommu:' prefix.
> 
>> so freeing it will result in NULL pointer access
> 
> Please describe in more detail how this NULL-ptr dereference is
> triggered.

in my case probe (mtk_iommu_probe_device called from 
__iommu_probe_device) is failing due to fwspec missing and then 
dev_iommu_free/iommu_fwspec_free is called, later 
iommu_group_remove_device with group=NULL

i think i've found problem:

iommu_probe_device:
     group = iommu_group_get(dev);
     if (!group) { //group is checked here for NULL but accessed later
         ret = -ENODEV;
         goto err_release; <<<
     }
err_release:<<<
     iommu_release_device(dev);

------------------------------------------------------------------------------
void iommu_release_device(struct device *dev)
{
...
     iommu_group_remove_device(dev);

------------------------------------------------------------------------------
void iommu_group_remove_device(struct device *dev)
{
     struct iommu_group *group = dev->iommu_group;
     struct group_device *tmp_device, *device = NULL;
...
     dev_info(dev, "Removing from iommu group %d\n", group->id); //crash 
as group is NULL and not checked

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH] iommu: check if group is NULL before remove device
@ 2021-07-15  7:10 Frank Wunderlich
  0 siblings, 0 replies; 5+ messages in thread
From: Frank Wunderlich @ 2021-07-15  7:10 UTC (permalink / raw)
  To: iommu; +Cc: Frank Wunderlich, Joerg Roedel, Will Deacon, linux-kernel, yong.wu

From: Frank Wunderlich <frank-w@public-files.de>

if probe is failing, iommu_group may be not initialized,
so freeing it will result in NULL pointer access

Fixes: d72e31c93746 ("iommu: IOMMU Groups")
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
---
 drivers/iommu/iommu.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index 5419c4b9f27a..63f0af10c403 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -924,6 +924,9 @@ void iommu_group_remove_device(struct device *dev)
 	struct iommu_group *group = dev->iommu_group;
 	struct group_device *tmp_device, *device = NULL;
 
+	if (!group)
+		return;
+
 	dev_info(dev, "Removing from iommu group %d\n", group->id);
 
 	/* Pre-notify listeners that a device is being removed. */
-- 
2.25.1


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2021-07-30 13:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-15  7:11 [PATCH] iommu: check if group is NULL before remove device Frank Wunderlich
2021-07-15  7:20 ` Joerg Roedel
2021-07-28 10:35   ` Frank Wunderlich
2021-07-30 13:18   ` Frank Wunderlich (linux)
  -- strict thread matches above, loose matches on Subject: below --
2021-07-15  7:10 Frank Wunderlich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).