Re: [PATCH] iommu: check if group is NULL before remove device

From: Frank Wunderlich (linux)
Date: Fri Jul 30 2021 - 09:18:14 EST


Am 2021-07-15 09:20, schrieb Joerg Roedel:
On Thu, Jul 15, 2021 at 09:11:50AM +0200, Frank Wunderlich wrote:
From: Frank Wunderlich <frank-w@xxxxxxxxxxxxxxx>

if probe is failing, iommu_group may be not initialized,

Sentences start with capital letters.

IOMMU patch subjects too, after the 'iommu:' prefix.

so freeing it will result in NULL pointer access

Please describe in more detail how this NULL-ptr dereference is
triggered.

in my case probe (mtk_iommu_probe_device called from __iommu_probe_device) is failing due to fwspec missing and then dev_iommu_free/iommu_fwspec_free is called, later iommu_group_remove_device with group=NULL

i think i've found problem:

iommu_probe_device:
group = iommu_group_get(dev);
if (!group) { //group is checked here for NULL but accessed later
ret = -ENODEV;
goto err_release; <<<
}
err_release:<<<
iommu_release_device(dev);

------------------------------------------------------------------------------
void iommu_release_device(struct device *dev)
{
...
iommu_group_remove_device(dev);

------------------------------------------------------------------------------
void iommu_group_remove_device(struct device *dev)
{
struct iommu_group *group = dev->iommu_group;
struct group_device *tmp_device, *device = NULL;
...
dev_info(dev, "Removing from iommu group %d\n", group->id); //crash as group is NULL and not checked