lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20251221173416.132656-1-rakuram.e96@gmail.com>
Date: Sun, 21 Dec 2025 23:04:16 +0530
From: Rakuram Eswaran <rakuram.e96@...il.com>
To: joro@...tes.org,
	will@...nel.org,
	suravee.suthikulpanit@....com,
	robin.murphy@....com
Cc: dan.carpenter@...aro.org,
	iommu@...ts.linux.dev,
	lkp@...el.com,
	linux-kernel@...r.kernel.org,
	rakuram.e96@...il.com
Subject: [PATCH] iommu: amd: Fix uninitialized dev_data on probe failure

amd_iommu_probe_device() may jump to the out_err path when
iommu_init_device() fails. In that case, dev_data has not been
initialized yet, but the out_err path unconditionally dereferences
dev_data, leading to an uninitialized pointer dereference.

The IOMMU core explicitly allows ->probe_device() callbacks to
return ERR_PTR() on failure. Return immediately when device
initialization fails instead of falling through the shared error
path, which assumes that per-device IOMMU state exists.

This avoids dereferencing dev_data on error paths where the device
was not successfully initialized.

Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
Closes: https://lore.kernel.org/r/202512191724.meqJENXe-lkp@intel.com/
Signed-off-by: Rakuram Eswaran <rakuram.e96@...il.com>
---
Testing note:
Compile tested only.

Build and Analysis:
This patch was compiled against the configuration file reported by
0day CI in the above link (config: x86_64-randconfig-r073-20251215)
using gcc version 15.2.0 (Ubuntu 15.2.0-4ubuntu4).

Static analysis was performed with Smatch to ensure the reported warning
no longer reproduces after applying this fix.

Command using for testing:
~/project/smatch/smatch_scripts/kchecker ./drivers/iommu/amd/iommu.c

 drivers/iommu/amd/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/amd/iommu.c b/drivers/iommu/amd/iommu.c
index 5d45795c367a..075125f0f52b 100644
--- a/drivers/iommu/amd/iommu.c
+++ b/drivers/iommu/amd/iommu.c
@@ -2426,7 +2426,7 @@ static struct iommu_device *amd_iommu_probe_device(struct device *dev)
 		dev_err(dev, "Failed to initialize - trying to proceed anyway\n");
 		iommu_dev = ERR_PTR(ret);
 		iommu_ignore_device(iommu, dev);
-		goto out_err;
+		return iommu_dev;
 	}
 
 	amd_iommu_set_pci_msi_domain(dev, iommu);
-- 
2.51.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ