From: Lu Baolu baolu.lu@linux.intel.com
mainline inclusion from mainline-v6.10-rc3 commit 89e8a2366e3bce584b6c01549d5019c5cda1205e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACSKO CVE: CVE-2024-40945
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue if the function returns NULL instead of an error pointer.
In reality, this doesn't cause any problems because iommu_sva_bind_device() only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA. In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will return an error, and the device drivers won't call iommu_sva_bind_device() at all.
Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Signed-off-by: Lu Baolu baolu.lu@linux.intel.com Reviewed-by: Jean-Philippe Brucker jean-philippe@linaro.org Reviewed-by: Kevin Tian kevin.tian@intel.com Reviewed-by: Vasant Hegde vasant.hegde@amd.com Link: https://lore.kernel.org/r/20240528042528.71396-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel jroedel@suse.de Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- include/linux/iommu.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/iommu.h b/include/linux/iommu.h index 1d70dd0d0c8c..293219ee6fb9 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1674,7 +1674,7 @@ struct iommu_domain *iommu_sva_domain_alloc(struct device *dev, static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm) { - return NULL; + return ERR_PTR(-ENODEV); }
static inline void iommu_sva_unbind_device(struct iommu_sva *handle)