[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <28df50012344fb1c925a7ceaf55ae400152ffb48.camel@ispras.ru>
Date: Mon, 18 Jul 2022 12:20:06 +0300
From: Subkhankulov Rustam <subkhankulov@...ras.ru>
To: Will Deacon <will@...nel.org>
Cc: Robin Murphy <robin.murphy@....com>,
Joerg Roedel <joro@...tes.org>,
linux-arm-kernel@...ts.infradead.org, iommu@...ts.linux.dev,
linux-kernel@...r.kernel.org,
Alexey Khoroshilov <khoroshilov@...ras.ru>,
ldv-project@...uxtesting.org
Subject: [POSSIBLE BUG] iommu/io-pgtable-arm: possible dereferencing of NULL
pointer
Version: 5-19-rc6
In function '__arm_lpae_alloc_pages' pointer 'dev' is compared with
NULL at [drivers/iommu/io-pgtable-arm.c: 203]. This means that the
pointer can be NULL.
-----------------------------------------------------------------------
203 p = alloc_pages_node(dev ? dev_to_node(dev) : NUMA_NO_NODE,
204 gfp | __GFP_ZERO, order);
-----------------------------------------------------------------------
Then, if cfg->coherent_walk == 0 at [drivers/iommu/io-pgtable-arm.c:
209], function 'dma_map_single', which is defined as
'dma_map_single_attrs', is called and pointer dev is passed as
first parameter.
-----------------------------------------------------------------------
209 if (!cfg->coherent_walk) {
208 dma = dma_map_single(dev, pages, size, DMA_TO_DEVICE);
-----------------------------------------------------------------------
Therefore, pointer 'dev' passed to function 'dev_driver_string'
in macro 'dev_WARN_ONCE' at [include/linux/dma-mapping.h: 326],
where it is dereferenced at [drivers/base/core.c: 2091].
-----------------------------------------------------------------------
2083 const char *dev_driver_string(const struct device *dev)
2084 {
2085 struct device_driver *drv;
2086
---
2091 drv = READ_ONCE(dev->driver);
-----------------------------------------------------------------------
Thus, if it is possible that 'dev' is null at the same time
that flag 'coherent_walk' is 0, then NULL pointer will be
dereferenced.
Should we somehow avoid NULL pointer dereference or is this
situation impossible and we should remove comparison with NULL?
Found by Linux Verification Center (linuxtesting.org) with SVACE.
regards,
Rustam Subkhankulov
Powered by blists - more mailing lists