[PATCH] iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[PATCH] iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Daniel Thompson]

The arm-smmu driver is unable to allocate the blame for a page fault to
a specific device so it calls report_iommu_fault() with the dev argument
set to NULL. Normally this doesn't cause anything catastrophic but on a
system with the io_page_fault tracepoint enabled this results in a NULL
pointer deref (resulting in a fairly spectacular crash on the hardware
I'm currently working on).

Fix this by adding logic to the tracepoint to safely propagate NULL.

Signed-off-by: Daniel Thompson <daniel@riscstar.com>
---
 include/trace/events/iommu.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/trace/events/iommu.h b/include/trace/events/iommu.h
index 373007e567cb827458a729b8200bbcc1b7d76912..1315193f13b8812ad4e29e6b0c0c66ca806ce08d 100644
--- a/include/trace/events/iommu.h
+++ b/include/trace/events/iommu.h
@@ -131,8 +131,8 @@ DECLARE_EVENT_CLASS(iommu_error,
 	TP_ARGS(dev, iova, flags),
 
 	TP_STRUCT__entry(
-		__string(device, dev_name(dev))
-		__string(driver, dev_driver_string(dev))
+		__string(device, dev ? dev_name(dev) : NULL)
+		__string(driver, dev ? dev_driver_string(dev) : NULL)
 		__field(u64, iova)
 		__field(int, flags)
 	),

---
base-commit: 0f61b1860cc3f52aef9036d7235ed1f017632193
change-id: 20260116-iommu-io_page_fault_null_fix-f81b4e8b5423

Best regards,
-- 
Daniel Thompson <daniel@riscstar.com>

Re: [PATCH] iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Markus Elfring]

…
> Fix this by adding logic to the tracepoint to safely propagate NULL.

* How do you think about to add any tags (like “Fixes” and “Cc”) accordingly?

* Would a summary phrase like “Prevent null pointer dereference for a tracepoint”
  be a bit nicer?


Regards,
Markus

Re: [PATCH] iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Daniel Thompson]

On Fri, Jan 16, 2026 at 05:02:35PM +0100, Markus Elfring wrote:
> …
> > Fix this by adding logic to the tracepoint to safely propagate NULL.
>
> * How do you think about to add any tags (like “Fixes” and “Cc”) accordingly?

I could add a

Fixes: f8f934c180f6 ("iommu/arm-smmu: Add support for driver IOMMU fault handlers")

However, who do you think I neglected to Cc:?


> * Would a summary phrase like “Prevent null pointer dereference for a tracepoint”
>   be a bit nicer?

I don't understand what is wrong with the original phrasing. Can you
explain why this change matters to you?


Daniel.

Re: iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Markus Elfring]

>> …
>>> Fix this by adding logic to the tracepoint to safely propagate NULL.
>>
>> * How do you think about to add any tags (like “Fixes” and “Cc”) accordingly?
> 
> I could add a
> 
> Fixes: f8f934c180f6 ("iommu/arm-smmu: Add support for driver IOMMU fault handlers")
> 
> However, who do you think I neglected to Cc:?

See also once more:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n262
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.19-rc5#n34


>> * Would a summary phrase like “Prevent null pointer dereference for a tracepoint”
>>   be a bit nicer?
> 
> I don't understand what is wrong with the original phrasing. Can you
> explain why this change matters to you?

* Questionable abbreviation “deref”

* when clause


Regards,
Markus

Re: iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Daniel Thompson]

On Mon, Jan 19, 2026 at 04:56:04PM +0100, Markus Elfring wrote:
> >> …
> >>> Fix this by adding logic to the tracepoint to safely propagate NULL.
> >>
> >> * How do you think about to add any tags (like “Fixes” and “Cc”) accordingly?
> >
> > I could add a
> >
> > Fixes: f8f934c180f6 ("iommu/arm-smmu: Add support for driver IOMMU fault handlers")
> >
> > However, who do you think I neglected to Cc:?
>
> See also once more:
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.19-rc5#n262
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/stable-kernel-rules.rst?h=v6.19-rc5#n34

That's not what I asked! You suggested I add people to Cc:, who do you
think I missed?


> >> * Would a summary phrase like “Prevent null pointer dereference for a tracepoint”
> >>   be a bit nicer?
> >
> > I don't understand what is wrong with the original phrasing. Can you
> > explain why this change matters to you?
>
> * Questionable abbreviation “deref”
> * when clause

I dislike the proposed new summary. I think keeping "io_page_fault"
in the summary is a much better use of characters than spelling
dereference in full.


Daniel.

Re: iommu: Fix NULL pointer deref when io_page_fault tracepoint fires

[Steven Rostedt]

On Mon, 19 Jan 2026 16:15:25 +0000
Daniel Thompson <daniel@riscstar.com> wrote:

> I dislike the proposed new summary. I think keeping "io_page_fault"
> in the summary is a much better use of characters than spelling
> dereference in full.

Agreed. You may safely ignore the comments outside of adding a "Fixes" tag.
That probably should be done.

As for your patch:

  Reviewed-by: Steven Rostedt (Google) <rostedt@goodmis.org>

-- Steve