[PATCH v4] iommu/riscv: prevent NULL deref in iova_to_phys

[PATCH v4] iommu/riscv: prevent NULL deref in iova_to_phys

[XianLiang Huang]

The riscv_iommu_pte_fetch() function returns either NULL for
unmapped/never-mapped iova, or a valid leaf pte pointer that requires no
further validation.

riscv_iommu_iova_to_phys() failed to handle NULL returns. Prevent null pointer
dereference in riscv_iommu_iova_to_phys(), and remove the pte validation.

Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
Cc: Tomasz Jeznach <tjeznach@rivosinc.com>
Signed-off-by: XianLiang Huang <huangxianliang@lanxincomputing.com>
---
Changes
v4:
- Change the summary as Markus recommends

v3:
- Remove redundant pte validation in riscv_iommu_iova_to_phys
- Improve subject line to emphasize prevention

v2:
- Refine problem description
- Add "Fixes" tag
---
 drivers/iommu/riscv/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index 2d0d31ba2886..0eae2f4bdc5e 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
 	unsigned long *ptr;
 
 	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
-	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
+	if (!ptr)
 		return 0;
 
 	return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
-- 
2.34.1

Re: [PATCH v4] iommu/riscv: prevent NULL deref in iova_to_phys

[Markus Elfring]

…> ---
> Changes
> v4:
> - Change the summary as Markus recommends
> 
> v3:
> - Remove redundant pte validation in riscv_iommu_iova_to_phys
> - Improve subject line to emphasize prevention
…

Does anything hinder you to integrate repeated patch review ideas better
into your contributions?

Repetition:
https://lore.kernel.org/lkml/effb29be-6d14-47e5-ab71-454119467750@web.de/
https://lkml.org/lkml/2025/8/7/282

Regards,
Markus

Re: [PATCH v4] iommu/riscv: prevent NULL deref in iova_to_phys

[XianLiang Huang]

https://lore.kernel.org/lkml/feb46658-5a3a-4403-b407-500566280eb3@web.de/

I updated the patch in v3, and updated change description accordingly:

In v1
> -	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
> +	if (!ptr || _io_pte_none(*ptr) || !_io_pte_present(*ptr))

In v3
> -	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
> +	if (!ptr)

but put your proposal at the patch Subject...
  v1: check pte null pointer before use
  v3: prevent NULL deref in iova_to_phys

> …> ---
> > Changes
> > v4:
> > - Change the summary as Markus recommends
> > 
> > v3:
sorry for making this messy.

Regards,
Xianliang

Re: [v4] iommu/riscv: prevent NULL deref in iova_to_phys

[Markus Elfring]

…> but put your proposal at the patch Subject...
…
Does it trigger undesirable communication difficulties?

Regards,
Markus

Re: Re: [v4] iommu/riscv: prevent NULL deref in iova_to_phys

[XianLiang Huang]

> Does it trigger undesirable communication difficulties?
No, and I agree that both subject and summary phrase can be improved

And now I do learn from this, thanks.
> Your patch will almost certainly get comments from reviewers on ways in
> which the patch can be improved, in the form of a reply to your email. You must
> respond to those comments; ignoring reviewers is a good way to get ignored in
> return. You can simply reply to their emails to answer their comments. Review
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst#n310

Regards,
Xianliang

Re: [v4] iommu/riscv: prevent NULL deref in iova_to_phys

[Markus Elfring]

>> Does it trigger undesirable communication difficulties?
> No, and I agree that both subject and summary phrase can be improved

I suggest to take another look for the better distinction of mentioned key words.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/process/submitting-patches.rst?h=v6.17-rc2#n638

Regards,
Markus

Re: Re: [v4] iommu/riscv: prevent NULL deref in iova_to_phys

[XianLiang Huang]

> I suggest to take another look for the better distinction of mentioned key words.
I misunderstood this
    >> …> Check the pointer before using it to avoid the bug. …
    > Would a summary phrase like “Prevent null pointer dereference in riscv_iommu_iova_to_phys()”
    > be also helpful?
https://lore.kernel.org/lkml/effb29be-6d14-47e5-ab71-454119467750@web.de/

>> > Changes
>> > v4:
>> > - Change the summary as Markus recommends
>> > 
>> > v3:
>> > - Remove redundant pte validation in riscv_iommu_iova_to_phys
>> > - Improve subject line to emphasize prevention
> Does anything hinder you to integrate repeated patch review ideas better
> into your contributions?
Do you suggest merge the repeated patch changlogs?
may a RESEND v3:
- Remove redundant pte validation in riscv_iommu_iova_to_phys
- Improve summary and description to emphasize prevention as Markus recommends

Regards,
Xianliang

Re: [PATCH v4] iommu/riscv: prevent NULL deref in iova_to_phys

[Joerg Roedel]

On Wed, Aug 20, 2025 at 03:22:48PM +0800, XianLiang Huang wrote:
>  drivers/iommu/riscv/iommu.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied for -rc, thanks.