Re: [PATCH] iommu: check if group is NULL before remove device
From: Frank Wunderlich (linux)
Date: Fri Jul 30 2021 - 09:18:14 EST
Am 2021-07-15 09:20, schrieb Joerg Roedel:
On Thu, Jul 15, 2021 at 09:11:50AM +0200, Frank Wunderlich wrote:
From: Frank Wunderlich <frank-w@xxxxxxxxxxxxxxx>
if probe is failing, iommu_group may be not initialized,
Sentences start with capital letters.
IOMMU patch subjects too, after the 'iommu:' prefix.
so freeing it will result in NULL pointer access
Please describe in more detail how this NULL-ptr dereference is
triggered.
in my case probe (mtk_iommu_probe_device called from
__iommu_probe_device) is failing due to fwspec missing and then
dev_iommu_free/iommu_fwspec_free is called, later
iommu_group_remove_device with group=NULL
i think i've found problem:
iommu_probe_device:
group = iommu_group_get(dev);
if (!group) { //group is checked here for NULL but accessed later
ret = -ENODEV;
goto err_release; <<<
}
err_release:<<<
iommu_release_device(dev);
------------------------------------------------------------------------------
void iommu_release_device(struct device *dev)
{
...
iommu_group_remove_device(dev);
------------------------------------------------------------------------------
void iommu_group_remove_device(struct device *dev)
{
struct iommu_group *group = dev->iommu_group;
struct group_device *tmp_device, *device = NULL;
...
dev_info(dev, "Removing from iommu group %d\n", group->id); //crash
as group is NULL and not checked