[Resend PATCH] intel-iommu Fix NULL pointer dereference in snd_soc_sst_haswell_pcm registration

From: Koos Vriezen
Date: Sat Feb 25 2017 - 07:24:46 EST

Hi,

This oops

[ 1.616381] sst-acpi INT3438:00: DesignWare DMA Controller, 8 channels
[ 1.616505] BUG: unable to handle kernel NULL pointer dereference at 00000000000007ab
[ 1.616512] IP: [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
[ 1.616515] PGD 0

[ 1.616518] Oops: 0000 [#1] SMP
[ 1.616563] Modules linked in: snd_soc_sst_haswell_pcm(+) snd_soc_sst_dsp snd_soc_sst_ipc joydev snd_soc_sst_firmware dell_wmi dell_laptop intel_rapl x86_pkg_temp_thermal dell_smbios snd_hda_codec_hdmi intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd wl(PO) efivars hid_multitouch rtsx_pci_ms sg memstick cfg80211 intel_pch_thermal i915 intel_gtt snd_soc_rt286 i2c_algo_bit snd_soc_rl6347a drm_kms_helper snd_soc_core syscopyarea sysfillrect sysimgblt snd_hda_intel fb_sys_fops snd_hda_codec lpc_ich drm snd_hda_core ac97_bus shpchp cfbfillrect snd_pcm dw_dmac cfbimgblt snd_timer snd cfbcopyarea wmi battery intel_vbtn int3403_thermal snd_soc_sst_acpi dw_dmac_core soundcore
[ 1.616584] snd_soc_sst_match int3402_thermal processor_thermal_device int340x_thermal_zone intel_soc_dts_iosf int3406_thermal int3400_thermal acpi_pad intel_hid acpi_thermal_rel ac evdev efivarfs ip_tables x_tables autofs4 i2c_hid hid rtsx_pci_sdmmc mmc_core i2c_i801 i2c_smbus xhci_pci xhci_hcd usbcore rtsx_pci mfd_core usb_common fan thermal gpio_lynxpoint i2c_designware_platform i2c_designware_core
[ 1.616588] CPU: 2 PID: 231 Comm: systemd-udevd Tainted: P U O 4.9.11 #5
[ 1.616589] Hardware name: Dell Inc. XPS 13 9343/09K8G1, BIOS A11 12/08/2016
[ 1.616591] task: ffff880213d2c980 task.stack: ffffc90001454000
[ 1.616597] RIP: 0010:[<ffffffff8132234a>] [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
[ 1.616598] RSP: 0018:ffffc90001457a78 EFLAGS: 00010246
[ 1.616600] RAX: ffff880216008c00 RBX: 0000000000000010 RCX: 0000000000000001
[ 1.616601] RDX: ffffc90001457aa5 RSI: ffffc90001457aa4 RDI: ffff880215b6ca68
[ 1.616603] RBP: ffff880216004710 R08: ffff880215b6ca68 R09: ffff88021600aa00
[ 1.616604] R10: 0000000000000000 R11: 0000000000000002 R12: 0000000000000002
[ 1.616605] R13: 0000000000000000 R14: ffff88020e468280 R15: 00000000000a0000
[ 1.616608] FS: 00007f60c05e18c0(0000) GS:ffff88021f500000(0000) knlGS:0000000000000000
[ 1.616610] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.616611] CR2: 00000000000007ab CR3: 0000000215794000 CR4: 00000000003406e0
[ 1.616612] Stack:
[ 1.616616] 000000007fffffff ffff880215bce010 ffff88020e300000 ffff880215bce010
[ 1.616620] ffffffff8132593a 0000000000000001 ffffffffa0242d31 000000007fffffff
[ 1.616623] ffff880215bce010 ffff88020e300000 ffffffff81326ec9 0000000200000000
[ 1.616624] Call Trace:
[ 1.616630] [<ffffffff8132593a>] ? find_or_alloc_domain.constprop.29+0x1a/0x300
[ 1.616636] [<ffffffffa0242d31>] ? dw_dma_probe+0x561/0x580 [dw_dmac_core]
[ 1.616640] [<ffffffff81326ec9>] ? __get_valid_domain_for_dev+0x39/0x120
[ 1.616644] [<ffffffff81327308>] ? __intel_map_single+0x138/0x180
[ 1.616648] [<ffffffff81327436>] ? intel_alloc_coherent+0xb6/0x120
[ 1.616656] [<ffffffffa11e1ed3>] ? sst_hsw_dsp_init+0x173/0x420 [snd_soc_sst_haswell_pcm]
[ 1.616660] [<ffffffff814b0139>] ? mutex_lock+0x9/0x30
[ 1.616664] [<ffffffff8119058b>] ? kernfs_add_one+0xdb/0x130
[ 1.616668] [<ffffffff813358e9>] ? devres_add+0x19/0x60
[ 1.616675] [<ffffffffa11e38f6>] ? hsw_pcm_dev_probe+0x46/0xd0 [snd_soc_sst_haswell_pcm]
[ 1.616679] [<ffffffff81334470>] ? platform_drv_probe+0x30/0x90
[ 1.616683] [<ffffffff81332b7d>] ? driver_probe_device+0x1ed/0x2b0
[ 1.616687] [<ffffffff81332ccf>] ? __driver_attach+0x8f/0xa0
[ 1.616691] [<ffffffff81332c40>] ? driver_probe_device+0x2b0/0x2b0
[ 1.616694] [<ffffffff81330d75>] ? bus_for_each_dev+0x55/0x90
[ 1.616698] [<ffffffff81331fa0>] ? bus_add_driver+0x110/0x210
[ 1.616701] [<ffffffffa11ea000>] ? 0xffffffffa11ea000
[ 1.616705] [<ffffffff81333322>] ? driver_register+0x52/0xc0
[ 1.616707] [<ffffffffa11ea000>] ? 0xffffffffa11ea000
[ 1.616710] [<ffffffff810003e2>] ? do_one_initcall+0x32/0x130
[ 1.616714] [<ffffffff81104ed7>] ? free_vmap_area_noflush+0x37/0x70
[ 1.616717] [<ffffffff81119f08>] ? kmem_cache_alloc+0x88/0xd0
[ 1.616721] [<ffffffff810cf1cd>] ? do_init_module+0x51/0x1c4
[ 1.616726] [<ffffffff810aca19>] ? load_module+0x1ee9/0x2430
[ 1.616730] [<ffffffff810a9d50>] ? show_taint+0x20/0x20
[ 1.616734] [<ffffffff81133a5d>] ? kernel_read_file+0xfd/0x190
[ 1.616739] [<ffffffff810ad123>] ? SyS_finit_module+0xa3/0xb0
[ 1.616742] [<ffffffff810013aa>] ? do_syscall_64+0x4a/0xb0
[ 1.616746] [<ffffffff814b22ca>] ? entry_SYSCALL64_slow_path+0x25/0x25
[ 1.616792] Code: 78 ff ff ff 4d 85 c0 74 ee 49 8b 5a 10 0f b6 9b e0 00 00 00 41 38 98 e0 00 00 00 77 da 0f b6 eb 49 39 a8 88 00 00 00 72 ce eb 8f <41> f6 82 ab 07 00 00 04 0f 85 76 ff ff ff 0f b6 4d 08 88 0e 49
[ 1.616796] RIP [<ffffffff8132234a>] device_to_iommu+0x11a/0x1a0
[ 1.616797] RSP <ffffc90001457a78>
[ 1.616798] CR2: 00000000000007ab
[ 1.616800] ---[ end trace 16f974b6d58d0aad ]---

is because of a missing null ptr check for non-pci devices.
Tested against 4.9.11. Also see
https://bugzilla.redhat.com/show_bug.cgi?id=1411946

Fixes: 1c387188c60f53b338c20eee32db055dfe022a9b ("iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions")
Signed-off-by: Koos Vriezen <koos.vriezen@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx # 4.8.15+
---
--- linux/drivers/iommu/intel-iommu.c.orig 2017-02-24 23:29:59.758656270 +0100
+++ linux/drivers/iommu/intel-iommu.c 2017-02-24 23:30:29.672500523 +0100
@@ -915,7 +915,7 @@ static struct intel_iommu *device_to_iom
* which we used for the IOMMU lookup. Strictly speaking
* we could do this for all PCI devices; we only need to
* get the BDF# from the scope table for ACPI matches. */
- if (pdev->is_virtfn)
+ if (pdev && pdev->is_virtfn)
goto got_pdev;

*bus = drhd->devices[i].bus;