lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20250805101741.30819-1-huangxianliang@lanxincomputing.com>
Date: Tue,  5 Aug 2025 18:17:41 +0800
From: "Huang XianLiang" <huangxianliang@...xincomputing.com>
To: <tjeznach@...osinc.com>
Cc: <joro@...tes.org>, <will@...nel.org>, <robin.murphy@....com>, 
	<paul.walmsley@...ive.com>, <palmer@...belt.com>, 
	<aou@...s.berkeley.edu>, <alex@...ti.fr>, <iommu@...ts.linux.dev>, 
	<linux-riscv@...ts.infradead.org>, <linux-kernel@...r.kernel.org>, 
	<huangxianliang@...xincomputing.com>
Subject: [PATCH] iommu/riscv: check pte null pointer before use

The riscv_iommu_pte_fetch can return NULL when the provided iova is not
yet mapped, the caller should check if the returned pointer is NULL or
not, but riscv_iommu_iova_to_phys missed this, which will then lead to
a kernel panic.

This commit just check the pointer before using it to avoid the bug.
Now, when iova_to_phys is called with an unmapped iova, the kernel will
not crash here.

Signed-off-by: Huang XianLiang <huangxianliang@...xincomputing.com>
---
 drivers/iommu/riscv/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index 2d0d31ba2886..b0186faa0300 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
 	unsigned long *ptr;
 
 	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
-	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
+	if (!ptr || _io_pte_none(*ptr) || !_io_pte_present(*ptr))
 		return 0;
 
 	return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ