[PATCH 5.9 063/133] iommu/vt-d: Fix kernel NULL pointer dereference in find_domain()

From: Greg Kroah-Hartman
Date: Mon Nov 09 2020 - 09:48:24 EST


From: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>

commit 6097df457adfb67cb75ca700fd1085ede2e1201d upstream.

If calling find_domain() for a device which hasn't been probed by the
iommu core, below kernel NULL pointer dereference issue happens.

[ 362.736947] BUG: kernel NULL pointer dereference, address: 0000000000000038
[ 362.743953] #PF: supervisor read access in kernel mode
[ 362.749115] #PF: error_code(0x0000) - not-present page
[ 362.754278] PGD 0 P4D 0
[ 362.756843] Oops: 0000 [#1] SMP NOPTI
[ 362.760528] CPU: 0 PID: 844 Comm: cat Not tainted 5.9.0-rc4-intel-next+ #1
[ 362.767428] Hardware name: Intel Corporation Ice Lake Client Platform/IceLake
U DDR4 SODIMM PD RVP TLC, BIOS ICLSFWR1.R00.3384.A02.1909200816
09/20/2019
[ 362.781109] RIP: 0010:find_domain+0xd/0x40
[ 362.785234] Code: 48 81 fb 60 28 d9 b2 75 de 5b 41 5c 41 5d 5d c3 0f 1f 00 66
2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 87 e0 02 00
00 55 <48> 8b 40 38 48 89 e5 48 83 f8 fe 0f 94 c1 48 85 ff
0f 94 c2 08 d1
[ 362.804041] RSP: 0018:ffffb09cc1f0bd38 EFLAGS: 00010046
[ 362.809292] RAX: 0000000000000000 RBX: ffff905b98e4fac8 RCX: 0000000000000000
[ 362.816452] RDX: 0000000000000001 RSI: ffff905b98e4fac8 RDI: ffff905b9ccd40d0
[ 362.823617] RBP: ffffb09cc1f0bda0 R08: ffffb09cc1f0bd48 R09: 000000000000000f
[ 362.830778] R10: ffffffffb266c080 R11: ffff905b9042602d R12: ffff905b98e4fac8
[ 362.837944] R13: ffffb09cc1f0bd48 R14: ffff905b9ccd40d0 R15: ffff905b98e4fac8
[ 362.845108] FS: 00007f8485460740(0000) GS:ffff905b9fc00000(0000)
knlGS:0000000000000000
[ 362.853227] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 362.858996] CR2: 0000000000000038 CR3: 00000004627a6003 CR4: 0000000000770ef0
[ 362.866161] PKRU: fffffffc
[ 362.868890] Call Trace:
[ 362.871363] ? show_device_domain_translation+0x32/0x100
[ 362.876700] ? bind_store+0x110/0x110
[ 362.880387] ? klist_next+0x91/0x120
[ 362.883987] ? domain_translation_struct_show+0x50/0x50
[ 362.889237] bus_for_each_dev+0x79/0xc0
[ 362.893121] domain_translation_struct_show+0x36/0x50
[ 362.898204] seq_read+0x135/0x410
[ 362.901545] ? handle_mm_fault+0xeb8/0x1750
[ 362.905755] full_proxy_read+0x5c/0x90
[ 362.909526] vfs_read+0xa6/0x190
[ 362.912782] ksys_read+0x61/0xe0
[ 362.916037] __x64_sys_read+0x1a/0x20
[ 362.919725] do_syscall_64+0x37/0x80
[ 362.923329] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 362.928405] RIP: 0033:0x7f84855c5e95

Filter out those devices to avoid such error.

Fixes: e2726daea583d ("iommu/vt-d: debugfs: Add support to show page table internals")
Reported-and-tested-by: Xu Pengfei <pengfei.xu@xxxxxxxxx>
Signed-off-by: Lu Baolu <baolu.lu@xxxxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx#v5.6+
Link: https://lore.kernel.org/r/20201028070725.24979-1-baolu.lu@xxxxxxxxxxxxxxx
Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/iommu/intel/iommu.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -2490,6 +2490,9 @@ struct dmar_domain *find_domain(struct d
{
struct device_domain_info *info;

+ if (unlikely(!dev || !dev->iommu))
+ return NULL;
+
if (unlikely(attach_deferred(dev)))
return NULL;