Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp3168540imw; Mon, 18 Jul 2022 03:25:30 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uVOC8Rm/EDhZVrQ4VERYCp7deSbW0uMieeFkyHM8b8bJlNbNdok2AmJILZtrxwtPDkLNiG X-Received: by 2002:a62:1508:0:b0:528:be70:2f69 with SMTP id 8-20020a621508000000b00528be702f69mr27530973pfv.42.1658139930412; Mon, 18 Jul 2022 03:25:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658139930; cv=none; d=google.com; s=arc-20160816; b=lzI3nay7CWAs4+gttpY47LYLNmj4KUuND4jumHQANXhAISmlB1gh9LgpEwkRQKz43D yBGFPZC9AFJfP3zMGK+0i2TTmqwusDATZkyGKyd/JyJoGU2/2xa53uCiU5DiSMRo4fQQ GdB3Io/EfAbyQyEDLWRpp5ov+ucdt2jTS1MU+Ot5oySXUJA5j5nN3uiermOo9hkZv0E3 Fcj4ekbDoyJUlN7ui55Ke/33lXShD6aYHNLjW6mu0NTC+LzGdKD3avt9cqHvios3KTWw +hOPgbCgY3RzUsUfmMjUWm6arL8xPYvFua10gZwT+E/t52rmJ2S7e5TZOlw3/K9Go/fF 1DCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:date:cc:to:from:subject:message-id; bh=VRiY/lQerRxm7a8B9x8mDoMaysnnElMypsRJIbDzmB8=; b=sSJVUXvImtQ9XiuL3s+xsugOXx+vc+mKTYXVIaIHKMPvMIhtW5FbX3+iTJ2hcwFEYo c+zlLLXPj3TWXQv3TtSE0+sFWkkL1JJwFIZHMMGxjuYPDRLB+xoh0gGmW5+1K2VPNbtC 8Xcflb6JhGPQ/W37QAzbfrQAm+seH8ovCNBkHA+NWfS3pQAt5JMCdmiArcIyUJ5TFwN0 zysX2On/1xwCQLg6W0I5BHo11af+LoryEBm6UUEe2alCxKtxr3G8N8y1pMdMUTqgvfpz SjuTKY/y/4NZNF03/o2h6p5RdSGfTD6zAfQlivcgk5ZEpnVQMw7o3B1J3fmUCAc9zadN QJwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u63-20020a638542000000b0040de553ebecsi10361409pgd.616.2022.07.18.03.25.15; Mon, 18 Jul 2022 03:25:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233750AbiGRJUu (ORCPT + 99 others); Mon, 18 Jul 2022 05:20:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48330 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233865AbiGRJU0 (ORCPT ); Mon, 18 Jul 2022 05:20:26 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D5324AE5B for ; Mon, 18 Jul 2022 02:20:22 -0700 (PDT) Received: from [10.10.132.242] (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPS id 28A5B40737DF; Mon, 18 Jul 2022 09:20:17 +0000 (UTC) Message-ID: <28df50012344fb1c925a7ceaf55ae400152ffb48.camel@ispras.ru> Subject: [POSSIBLE BUG] iommu/io-pgtable-arm: possible dereferencing of NULL pointer From: Subkhankulov Rustam To: Will Deacon Cc: Robin Murphy , Joerg Roedel , linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, Alexey Khoroshilov , ldv-project@linuxtesting.org Date: Mon, 18 Jul 2022 12:20:06 +0300 Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5-0ubuntu1 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Version: 5-19-rc6 In function '__arm_lpae_alloc_pages' pointer 'dev' is compared with NULL at [drivers/iommu/io-pgtable-arm.c: 203]. This means that the pointer can be NULL. ----------------------------------------------------------------------- 203 p = alloc_pages_node(dev ? dev_to_node(dev) : NUMA_NO_NODE, 204 gfp | __GFP_ZERO, order); ----------------------------------------------------------------------- Then, if cfg->coherent_walk == 0 at [drivers/iommu/io-pgtable-arm.c: 209], function 'dma_map_single', which is defined as 'dma_map_single_attrs', is called and pointer dev is passed as first parameter. ----------------------------------------------------------------------- 209 if (!cfg->coherent_walk) { 208 dma = dma_map_single(dev, pages, size, DMA_TO_DEVICE); ----------------------------------------------------------------------- Therefore, pointer 'dev' passed to function 'dev_driver_string' in macro 'dev_WARN_ONCE' at [include/linux/dma-mapping.h: 326], where it is dereferenced at [drivers/base/core.c: 2091]. ----------------------------------------------------------------------- 2083 const char *dev_driver_string(const struct device *dev) 2084 { 2085 struct device_driver *drv; 2086 --- 2091 drv = READ_ONCE(dev->driver); ----------------------------------------------------------------------- Thus, if it is possible that 'dev' is null at the same time that flag 'coherent_walk' is 0, then NULL pointer will be dereferenced. Should we somehow avoid NULL pointer dereference or is this situation impossible and we should remove comparison with NULL? Found by Linux Verification Center (linuxtesting.org) with SVACE. regards, Rustam Subkhankulov