From: Lu Baolu baolu.lu@linux.intel.com

mainline inclusion from mainline-v6.10-rc3 commit 89e8a2366e3bce584b6c01549d5019c5cda1205e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IACSKO CVE: CVE-2024-40945

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

iommu_sva_bind_device() should return either a sva bond handle or an ERR_PTR value in error cases. Existing drivers (idxd and uacce) only check the return value with IS_ERR(). This could potentially lead to a kernel NULL pointer dereference issue if the function returns NULL instead of an error pointer.

In reality, this doesn't cause any problems because iommu_sva_bind_device() only returns NULL when the kernel is not configured with CONFIG_IOMMU_SVA. In this case, iommu_dev_enable_feature(dev, IOMMU_DEV_FEAT_SVA) will return an error, and the device drivers won't call iommu_sva_bind_device() at all.

Fixes: 26b25a2b98e4 ("iommu: Bind process address spaces to devices") Signed-off-by: Lu Baolu baolu.lu@linux.intel.com Reviewed-by: Jean-Philippe Brucker jean-philippe@linaro.org Reviewed-by: Kevin Tian kevin.tian@intel.com Reviewed-by: Vasant Hegde vasant.hegde@amd.com Link: https://lore.kernel.org/r/20240528042528.71396-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel jroedel@suse.de Signed-off-by: Cheng Yu serein.chengyu@huawei.com --- include/linux/iommu.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/iommu.h b/include/linux/iommu.h index b0218b1f5ef0..355f4e437d67 100644 --- a/include/linux/iommu.h +++ b/include/linux/iommu.h @@ -1153,7 +1153,7 @@ iommu_aux_get_pasid(struct iommu_domain *domain, struct device *dev) static inline struct iommu_sva * iommu_sva_bind_device(struct device *dev, struct mm_struct *mm, void *drvdata) { - return NULL; + return ERR_PTR(-ENODEV); }

static inline void iommu_sva_unbind_device(struct iommu_sva *handle)