iommu_sva_bind_device() should return either a sva bond handle or an
ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
check the return value with IS_ERR(). This could potentially lead to
a kernel NULL pointer dereference issue if the function returns NULL
instead of an error pointer.
In reality, this doesn't cause any problems because iommu_sva_bind_device()
only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
return an error, and the device drivers won't call iommu_sva_bind_device()
at all.
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
Signed-off-by: Lu Baolu <[email protected]>
---
include/linux/iommu.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/iommu.h b/include/linux/iommu.h
index 7bc8dff7cf6d..17b3f36ad843 100644
--- a/include/linux/iommu.h
+++ b/include/linux/iommu.h
@@ -1533,7 +1533,7 @@ struct iommu_domain *iommu_sva_domain_alloc(struct device *dev,
static inline struct iommu_sva *
iommu_sva_bind_device(struct device *dev, struct mm_struct *mm)
{
- return NULL;
+ return ERR_PTR(-ENODEV);
}
static inline void iommu_sva_unbind_device(struct iommu_sva *handle)
--
2.34.1
On Tue, May 28, 2024 at 12:25:28PM +0800, Lu Baolu wrote:
> iommu_sva_bind_device() should return either a sva bond handle or an
> ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
> check the return value with IS_ERR(). This could potentially lead to
> a kernel NULL pointer dereference issue if the function returns NULL
> instead of an error pointer.
>
> In reality, this doesn't cause any problems because iommu_sva_bind_device()
> only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
> In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
> return an error, and the device drivers won't call iommu_sva_bind_device()
> at all.
>
> Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
> Signed-off-by: Lu Baolu <[email protected]>
Reviewed-by: Jean-Philippe Brucker <[email protected]>
> ---
> include/linux/iommu.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/iommu.h b/include/linux/iommu.h
> index 7bc8dff7cf6d..17b3f36ad843 100644
> --- a/include/linux/iommu.h
> +++ b/include/linux/iommu.h
> @@ -1533,7 +1533,7 @@ struct iommu_domain *iommu_sva_domain_alloc(struct device *dev,
> static inline struct iommu_sva *
> iommu_sva_bind_device(struct device *dev, struct mm_struct *mm)
> {
> - return NULL;
> + return ERR_PTR(-ENODEV);
> }
>
> static inline void iommu_sva_unbind_device(struct iommu_sva *handle)
> --
> 2.34.1
>
> From: Lu Baolu <[email protected]>
> Sent: Tuesday, May 28, 2024 12:25 PM
>
> iommu_sva_bind_device() should return either a sva bond handle or an
> ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
> check the return value with IS_ERR(). This could potentially lead to
> a kernel NULL pointer dereference issue if the function returns NULL
> instead of an error pointer.
>
> In reality, this doesn't cause any problems because iommu_sva_bind_device()
> only returns NULL when the kernel is not configured with
> CONFIG_IOMMU_SVA.
> In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
> return an error, and the device drivers won't call iommu_sva_bind_device()
> at all.
>
> Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
> Signed-off-by: Lu Baolu <[email protected]>
Reviewed-by: Kevin Tian <[email protected]>
On 5/28/2024 9:55 AM, Lu Baolu wrote:
> iommu_sva_bind_device() should return either a sva bond handle or an
> ERR_PTR value in error cases. Existing drivers (idxd and uacce) only
> check the return value with IS_ERR(). This could potentially lead to
> a kernel NULL pointer dereference issue if the function returns NULL
> instead of an error pointer.
>
> In reality, this doesn't cause any problems because iommu_sva_bind_device()
> only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA.
> In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will
> return an error, and the device drivers won't call iommu_sva_bind_device()
> at all.>
> Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices")
> Signed-off-by: Lu Baolu <[email protected]>
Reviewed-by: Vasant Hegde <[email protected]>
-Vasant
On Tue, May 28, 2024 at 12:25:28PM +0800, Lu Baolu wrote:
> include/linux/iommu.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Applied, thanks.