Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp1893817imn; Mon, 1 Aug 2022 04:16:18 -0700 (PDT) X-Google-Smtp-Source: AGRyM1ugXST8NUXZ17IA6LzXWmOvSV7txCnKc8dBAactfFWKXUd+WvShSatHhgyNuiig74wIhc22 X-Received: by 2002:a17:907:7d8a:b0:72b:86ef:acf6 with SMTP id oz10-20020a1709077d8a00b0072b86efacf6mr12289710ejc.101.1659352577729; Mon, 01 Aug 2022 04:16:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659352577; cv=none; d=google.com; s=arc-20160816; b=dSextusHr9VRwNvZtRjUxYGgq256T/iALV3XWvTlvUAkFK34tfbPk16//O7wOJC/E6 G5mDmf1G/jwb3WPwn7t/a+INtuUCr/kZIe2PX+CZznYUcPnnRMO3GPkRAavzXt2ffRW7 PyK6k9x7RtJ1L0P7n0FIx3WdT7eRV6aHBgZjIPdQAFjy4NxH/SNS9lYJxdnpYVGcpxlR CcNutmd3q7uZN27akmx0SBvcYwbs2Zpd7HBmNG7z5YqUHlXcMuk/5TxVVbY/r7AARYru jlFn+H45c7Bl+PQLu1a/NDHAFqnG8Frc2iYAooMS/sKD5bXf5s8JTswbJXl3Sz4zUUeJ MkXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=PzW3XT0fkJP/iOmjSOUGF0YGXWMURCnWWdl73fJS/kM=; b=f13NhUrGWzy8OT0tyPYZMgP6hmDSy8HMeIemYTwpt92FIJenYt5oQAZar47QxwDYvo n4uwWT/wb8QxDwK6kSUBUSfEuetEKzT6y/cYbCXsgvmLO+dmkqR5x9mtrI8UY9NA+sB2 R7o3ce7K3gnlxxkkGJEcXZJUZ+HI4DOsJjpNueyYCdJH3KkCnScmkaM11XT+x0A38jLo vkysgfTVHQDeDnjkx9T7nQ/qRX9f6xY7njV0GAuJSQLykacvPBjFa784MND+5A9Cjkqq m1VKyjn1c6/oTFKQWANfykOd7Lg1iCV4WUhz/4iJkz91MXwcEoSEDYScrDtIeTSDiGh0 HGnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h19-20020a05640250d300b0043be1d90cc2si11164805edb.215.2022.08.01.04.15.53; Mon, 01 Aug 2022 04:16:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231287AbiHALHH (ORCPT + 99 others); Mon, 1 Aug 2022 07:07:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229945AbiHALHG (ORCPT ); Mon, 1 Aug 2022 07:07:06 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D5C0225EB9 for ; Mon, 1 Aug 2022 04:07:03 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 342D6139F; Mon, 1 Aug 2022 04:07:04 -0700 (PDT) Received: from [10.57.10.23] (unknown [10.57.10.23]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4ECE63F67D; Mon, 1 Aug 2022 04:07:02 -0700 (PDT) Message-ID: <71774d67-6c7f-ea42-2911-a3eb1955777d@arm.com> Date: Mon, 1 Aug 2022 12:06:56 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [POSSIBLE BUG] iommu/io-pgtable-arm: possible dereferencing of NULL pointer Content-Language: en-GB To: Will Deacon , Subkhankulov Rustam Cc: Joerg Roedel , linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, Alexey Khoroshilov , ldv-project@linuxtesting.org References: <28df50012344fb1c925a7ceaf55ae400152ffb48.camel@ispras.ru> <20220719173610.GA14526@willie-the-truck> From: Robin Murphy In-Reply-To: <20220719173610.GA14526@willie-the-truck> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-07-19 18:36, Will Deacon wrote: > On Mon, Jul 18, 2022 at 12:20:06PM +0300, Subkhankulov Rustam wrote: >> Version: 5-19-rc6 >> >> In function '__arm_lpae_alloc_pages' pointer 'dev' is compared with >> NULL at [drivers/iommu/io-pgtable-arm.c: 203]. This means that the >> pointer can be NULL. >> >> ----------------------------------------------------------------------- >> 203 p = alloc_pages_node(dev ? dev_to_node(dev) : NUMA_NO_NODE, >> 204 gfp | __GFP_ZERO, order); >> ----------------------------------------------------------------------- >> >> Then, if cfg->coherent_walk == 0 at [drivers/iommu/io-pgtable-arm.c: >> 209], function 'dma_map_single', which is defined as >> 'dma_map_single_attrs', is called and pointer dev is passed as >> first parameter. >> >> ----------------------------------------------------------------------- >> 209 if (!cfg->coherent_walk) { >> 208 dma = dma_map_single(dev, pages, size, DMA_TO_DEVICE); >> ----------------------------------------------------------------------- >> >> Therefore, pointer 'dev' passed to function 'dev_driver_string' >> in macro 'dev_WARN_ONCE' at [include/linux/dma-mapping.h: 326], >> where it is dereferenced at [drivers/base/core.c: 2091]. >> >> ----------------------------------------------------------------------- >> 2083 const char *dev_driver_string(const struct device *dev) >> 2084 { >> 2085 struct device_driver *drv; >> 2086 >> --- >> 2091 drv = READ_ONCE(dev->driver); >> ----------------------------------------------------------------------- >> >> Thus, if it is possible that 'dev' is null at the same time >> that flag 'coherent_walk' is 0, then NULL pointer will be >> dereferenced. >> >> Should we somehow avoid NULL pointer dereference or is this >> situation impossible and we should remove comparison with NULL? > > I think 'dev' is only null in the case of the selftest initcall > (see arm_lpae_do_selftests()), and 'coherent_walk' is always true there. Indeed, the intent is that cfg->iommu_dev == NULL is a special case for the selftest, which must always claim coherency as well for this reason. I suppose we could add an explicit assertion along those lines in alloc_pgtable if anyone really thinks it matters. Cheers, Robin.