Received: by 2002:ac0:e350:0:0:0:0:0 with SMTP id g16csp2217743imn; Mon, 1 Aug 2022 15:56:33 -0700 (PDT) X-Google-Smtp-Source: AA6agR6DcI3ZK3jla/m4XjluNoq6vT6hEEqnoj2wYRyLCXeGnIf3DmwKFQZUgPhnnqHkE1nQVcBJ X-Received: by 2002:a17:90a:982:b0:1ef:f525:9801 with SMTP id 2-20020a17090a098200b001eff5259801mr21574938pjo.191.1659394592849; Mon, 01 Aug 2022 15:56:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1659394592; cv=none; d=google.com; s=arc-20160816; b=iy+rp8DykFF236g2KV5XAOvQWzDfVXVFz1JhiFL7mmcbsT/Khg5CQ0Yj65yzjbFG8j SWpa9k9f7TW8oaCUlrYXMaaNAEvdBBt8MP9KZxoVt4DxupAj3GJbdmaAI6dRtBPH+HQp uxt6J/J/jF+OK9oI0ViQyN5PHNlT7Q89LJ7IVAXqybFPkUPpifBDY5unrmx21tkh+/nw JRvz43Yt5nBDiSNcly4Bw8/YFaxv7ZOzRvjyWdKLIQxnmuIDVx1j5yxCYwVrYPi2mkIq iYZ+Za4xEO9ms9nqWPCLhN00MCgKzHPZU9RFXGIGjqD+F7JxTBBO802Yh8cVFK8bHGSb oazQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:autocrypt:from :references:cc:to:subject; bh=SBwXsoIlTPP4gx/DKjiSbDkpg7l+1nvDC+oj4qE3ONs=; b=ptes/cqEi5YRgTV5xDyCe5yg8lqt5alCxVeM0vUCcBWEKbFqUxakgXLHzvXTfLAjkj 9BcIfx2Bw7mtPDaBPYlwQiP08S+4QCGSVp8oZRnMmqiY1La98VYb8vF9G2bvGJzFX5gc PGsu7/+nraHs/P2I7gODySN/sk8LG2JSDGZEEhdphHHXwBqmwmuBoXp4OmPQdJImCz4F se0OI8yQJpVxqcQx/RGgxm1eZR/bW0ry9hUSC/Z7/wbfAqgd3j1I6WG8d58JPq+gLvkI hN3nyds77LsNzR29UEozGbGrHmV5pQP4jwmNR1cG+QyLdW6SdqdtEEbnwWOiVI7xmDkB pBDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e6-20020a170902ef4600b0016db1b1a7adsi13438574plx.210.2022.08.01.15.56.17; Mon, 01 Aug 2022 15:56:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235405AbiHAWde (ORCPT + 99 others); Mon, 1 Aug 2022 18:33:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44994 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234773AbiHAWd3 (ORCPT ); Mon, 1 Aug 2022 18:33:29 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6B2F72228E for ; Mon, 1 Aug 2022 15:33:26 -0700 (PDT) Received: from [192.168.1.206] (unknown [109.252.119.247]) by mail.ispras.ru (Postfix) with ESMTPSA id 6979540D403E; Mon, 1 Aug 2022 22:33:21 +0000 (UTC) Subject: Re: [POSSIBLE BUG] iommu/io-pgtable-arm: possible dereferencing of NULL pointer To: Robin Murphy , Will Deacon , Subkhankulov Rustam Cc: Joerg Roedel , linux-arm-kernel@lists.infradead.org, iommu@lists.linux.dev, linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org References: <28df50012344fb1c925a7ceaf55ae400152ffb48.camel@ispras.ru> <20220719173610.GA14526@willie-the-truck> <71774d67-6c7f-ea42-2911-a3eb1955777d@arm.com> From: Alexey Khoroshilov Autocrypt: addr=khoroshilov@ispras.ru; prefer-encrypt=mutual; keydata= xsFNBFtq9eIBEACxmOIPDht+aZvO9DGi4TwnZ1WTDnyDVz3Nnh0rlQCK8IssaT6wE5a95VWo iwOWalcL9bJMHQvw60JwZKFjt9oH2bov3xzx/JRCISQB4a4U1J/scWvPtabbB3t+VAodF5KZ vZ2gu/Q/Wa5JZ9aBH0IvNpBAAThFg1rBXKh7wNqrhsQlMLg+zTSK6ZctddNl6RyaJvAmbaTS sSeyUKXiabxHn3BR9jclXfmPLfWuayinBvW4J3vS+bOhbLxeu3MO0dUqeX/Nl8EAhvzo0I2d A0vRu/Ze1wU3EQYT6M8z3i1b3pdLjr/i+MI8Rgijs+TFRAhxRw/+0vHGTg6Pn02t0XkycxQR mhH3v0kVTvMyM7YSI7yXvd0QPxb1RX9AGmvbJu7eylzcq9Jla+/T3pOuWsJkbvbvuFKKmmYY WnAOR7vu/VNVfiy4rM0bfO14cIuEG+yvogcPuMmQGYu6ZwS9IdgZIOAkO57M/6wR0jIyfxrG FV3ietPtVcqeDVrcShKyziRLJ+Xcsg9BLdnImAqVQomYr27pyNMRL5ILuT7uOuAQPDKBksK+ l2Fws0d5iUifqnXSPuYxqgS4f8SQLS7ECxvCGVVbkEEng9vkkmyrF6wM86BZ9apPGDFbopiK 7GRxQtSGszVv83abaVb8aDsAudJIp7lLaIuXLZAe1r+ycYpEtQARAQABzSpBbGV4ZXkgS2hv cm9zaGlsb3YgPGtob3Jvc2hpbG92QGlzcHJhcy5ydT7CwX0EEwEIACcFAltq9eICGwMFCRLM AwAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ2B/JSzCwrEWLaA/+NFZfyhU0vJzFtYsk yaqx8nWZLrAoUK7VcobH0lJH6lfGbarO5JpENaIiTP12YZ4xO+j3GGJtLy2gvnpypGnxmiAl RqPt7WeAIj6oqPrUs2QF7i4SOiPtku/NrysI1zHzlA8yqUduBtam5rdQeLRNCJiEED1fU8sp +DgJBN/OHEDyAag2hu1KFKWuPfQ+QGpXYZb+1NW/hKwvvwCNVyypELAfFnkketFXjIMwHnL8 ZPqJZlkvkpxuRXOaXPL9NFhZnC/WS+NJ81L3pr+w6eo3xTPYZvRW8glvqlEDgHqr3uMGIaes nwfRXLHp+TC1ht6efCXzdPyMZ1E7HXQN9foKisI1V5iQFhN+CT3dbsguQI4e10F5ql0TZUJY SMzvY0eObs6TWRdD/Ha7Y5rLmZ54R9sxumpZNcJzktfgm9f0XfeqVEJUn/40MRDD+l2W12Db Jkko+sbtAEw+f+/j3uz8xOE+Uv4kwFC5a6JKgdX88oigHnpAs3FvffP594Loi3ibFrQUW5wH bXh5Ni+l1GKEQ0PHMk+KQQT9L2r9s7C0Nh8XzwdpOshZWsrNSZqcG+01wrmUhyX2uSaoZ07I /+KZURlMSqI71X6lkMWlB3SyThvYhHgnR0EGGTerwM1MaVjHN+Z6lPmsKNxG8lzCeWeZ6peA c5oUHV4WQ8Ux9BM8saLOwU0EW2r14gEQAMz+5u+X7j1/dT4WLVRQaE1Shnd2dKBn2E7fgo/N 4JIY6wHD/DJoWYQpCJjjvBYSonvQsHicvDW8lPh2EXgZ9Fi8AHKT2mVPitVy+uhfWa/0FtsC e3hPfrjTcN7BUcXlIjmptxIoDbvQrNfIWUGdWiyDj4EDfABW/kagXqaBwF2HdcDaNDGggD1c DglA0APjezIyTGnGMKsi5QSSlOLm8OZEJMj5t+JL6QXrruijNb5Asmz5mpRQrak7DpGOskjK fClm/0oy2zDvWuoXJa+dm3YFr43V+c5EIMA4LpGk63Eg+5NltQ/gj0ycgD5o6reCbjLz4R9D JzBezK/KOQuNG5qKUTMbOHWaApZnZ6BDdOVflkV1V+LMo5GvIzkATNLm/7Jj6DmYmXbKoSAY BKZiJWqzNsL1AJtmJA1y5zbWX/W4CpNs8qYMYG8eTNOqunzopEhX7T0cOswcTGArZYygiwDW BuIS83QRc7udMlQg79qyMA5WqS9g9g/iodlssR9weIVoZSjfjhm5NJ3FmaKnb56h6DSvFgsH xCa4s1DGnZGSAtedj8E3ACOsEfu4J/WqXEmvMYNBdGos2YAc+g0hjuOB10BSD98d38xP1vPc qNrztIF+TODAl1dNwU4rCSdGQymsrMVFuXnHMH4G+dHvMAwWauzDbnILHAGFyJtfxVefABEB AAHCwWUEGAEIAA8FAltq9eICGwwFCRLMAwAACgkQ2B/JSzCwrEU3Rg//eFWHXqTQ5CKw4KrX kTFxdXnYKJ5zZB0EzqU6m/FAV7snmygFLbOXYlcMW2Fh306ivj9NKJrlOaPbUzzyDf8dtDAg nSbH156oNJ9NHkz0mrxFMpJA2E5AUemOFx57PUYt93pR2B7bF2zGua4gMC+vorDQZjX9kvrL Kbenh3boFOe1tUaiRRvEltVFLOg+b+CMkKVbLIQe/HkyKJH5MFiHAF7QxnPHaxyO7QbWaUmF 6BHVujxAGvNgkrYJb6dpiNNZSFNRodaSToU5oM+z1dCrNNtN3u4R7AYr6DDIDxoSzR4k0ZaG uSeqh4xxQCD7vLT3JdZDyhYUJgy9mvSXdkXGdBIhVmeLch2gaWNf5UOutVJwdPbIaUDRjVoV Iw6qjKq+mnK3ttuxW5Aeg9Y1OuKEvCVu+U/iEEJxx1JRmVAYq848YqtVPY9DkZdBT4E9dHqO n8lr+XPVyMN6SBXkaR5tB6zSkSDrIw+9uv1LN7QIri43fLqhM950ltlveROEdLL1bI30lYO5 J07KmxgOjrvY8X9WOC3O0k/nFpBbbsM4zUrmF6F5wIYO99xafQOlfpUnVtbo3GnBR2LIcPYj SyY3dW28JXo2cftxIOr1edJ+fhcRqYRrPzJrQBZcE2GZjRO8tz6IOMAsc+WMtVfj5grgVHCu kK2E04Fb+Zk1eJvHYRc= Message-ID: <39d8ceb6-6982-f4b9-1ed6-c2daea051386@ispras.ru> Date: Tue, 2 Aug 2022 01:33:20 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <71774d67-6c7f-ea42-2911-a3eb1955777d@arm.com> Content-Type: text/plain; charset=utf-8 Content-Language: ru-RU Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01.08.2022 14:06, Robin Murphy wrote: > On 2022-07-19 18:36, Will Deacon wrote: >> On Mon, Jul 18, 2022 at 12:20:06PM +0300, Subkhankulov Rustam wrote: >>> Version: 5-19-rc6 >>> >>> In function '__arm_lpae_alloc_pages' pointer 'dev' is compared with >>> NULL at [drivers/iommu/io-pgtable-arm.c: 203]. This means that the >>> pointer can be NULL. >>> >>> ----------------------------------------------------------------------- >>> 203     p = alloc_pages_node(dev ? dev_to_node(dev) : NUMA_NO_NODE, >>> 204                  gfp | __GFP_ZERO, order); >>> ----------------------------------------------------------------------- >>> >>> Then, if cfg->coherent_walk == 0 at [drivers/iommu/io-pgtable-arm.c: >>> 209], function 'dma_map_single', which is defined as >>> 'dma_map_single_attrs', is called and pointer dev is passed as >>> first parameter. >>> >>> ----------------------------------------------------------------------- >>> 209     if (!cfg->coherent_walk) { >>> 208         dma = dma_map_single(dev, pages, size, DMA_TO_DEVICE); >>> ----------------------------------------------------------------------- >>> >>> Therefore, pointer 'dev' passed to function 'dev_driver_string' >>> in macro 'dev_WARN_ONCE' at [include/linux/dma-mapping.h: 326], >>> where it is dereferenced at [drivers/base/core.c: 2091]. >>> >>> ----------------------------------------------------------------------- >>> 2083    const char *dev_driver_string(const struct device *dev) >>> 2084    { >>> 2085        struct device_driver *drv; >>> 2086 >>> --- >>> 2091        drv = READ_ONCE(dev->driver); >>> ----------------------------------------------------------------------- >>> >>> Thus, if it is possible that 'dev' is null at the same time >>> that flag 'coherent_walk' is 0, then NULL pointer will be >>> dereferenced. >>> >>> Should we somehow avoid NULL pointer dereference or is this >>> situation impossible and we should remove comparison with NULL? >> >> I think 'dev' is only null in the case of the selftest initcall >> (see arm_lpae_do_selftests()), and 'coherent_walk' is always true there. > > Indeed, the intent is that cfg->iommu_dev == NULL is a special case for > the selftest, which must always claim coherency as well for this reason. > I suppose we could add an explicit assertion along those lines in > alloc_pgtable if anyone really thinks it matters. Yes, we believe it make sense. It will help to document the intention and to avoid future questions. Thank you, Alexey