Re: [PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function

Next message: Tao Cui: "Re: [PATCH] cgroup/cpuset: Fix update_prstate() always returning 0 on partition errors"
Previous message: Herman van Hazendonk: "[PATCH 2/3] clk: qcom: lcc-msm8960: serialise probe and block sysfs rebind"
In reply to: lirongqing: "[PATCH] iommu/amd: Fix undefined behavior in devid_write debugfs function"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ankit Soni

Date: Tue Jun 02 2026 - 00:50:53 EST

On Mon, Jun 01, 2026 at 08:12:40AM -0400, lirongqing wrote:
> From: Li RongQing <lirongqing@xxxxxxxxx>
>
> When for_each_pci_segment() loop completes without finding a matching
> segment, the pci_seg pointer is not NULL but points to an invalid memory
> location (the list head). Accessing pci_seg->id after the loop causes
> undefined behavior.
>
> Fix this by handling the successful case inside the loop and returning
> -EINVAL after the loop if no matching segment is found.
>
> Fixes: 2e98940f123d9 ("iommu/amd: Add support for device id user input")
> Signed-off-by: Li RongQing <lirongqing@xxxxxxxxx>

Hi,

Thanks for the fix. Looks good to me.

Reviewed-by: Ankit Soni <Ankit.Soni@xxxxxxx>

> ---
> drivers/iommu/amd/debugfs.c | 12 +++---------
> 1 file changed, 3 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/iommu/amd/debugfs.c b/drivers/iommu/amd/debugfs.c
> index 4c53b63..5c573ec 100644
> --- a/drivers/iommu/amd/debugfs.c
> +++ b/drivers/iommu/amd/debugfs.c
> @@ -176,19 +176,13 @@ static ssize_t devid_write(struct file *filp, const char __user *ubuf,
> kfree(srcid_ptr);
> return -ENODEV;
> }
> - break;
> - }
> -
> - if (pci_seg->id != seg) {
> + sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
> kfree(srcid_ptr);
> - return -EINVAL;
> + return cnt;
> }
>
> - sbdf = PCI_SEG_DEVID_TO_SBDF(seg, devid);
> -
> kfree(srcid_ptr);
> -
> - return cnt;
> + return -EINVAL;
> }
>
> static int devid_show(struct seq_file *m, void *unused)
> --
> 2.9.4
>