[PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[XianLiang Huang]

The riscv_iommu_pte_fetch() function returns either NULL for
unmapped/never-mapped iova, or a valid leaf pte pointer that requires no
further validation.

riscv_iommu_iova_to_phys() failed to handle NULL returns. Fix by adding NULL
check before dereferencing and returning 0 for invalid iova.

Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
Cc: Tomasz Jeznach <tjeznach@rivosinc.com>
Signed-off-by: XianLiang Huang <huangxianliang@lanxincomputing.com>
---
Changes
v3:
- Remove redundant pte validation in riscv_iommu_iova_to_phys
- Improve subject line to emphasize prevention

v2:
- Refine problem description
- Add "Fixes" tag
---
 drivers/iommu/riscv/iommu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index 2d0d31ba2886..0eae2f4bdc5e 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
 	unsigned long *ptr;
 
 	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
-	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
+	if (!ptr)
 		return 0;
 
 	return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
-- 
2.34.1

Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[Markus Elfring]

…> riscv_iommu_iova_to_phys() failed to handle NULL returns. Fix by adding NULL
> check before dereferencing and returning 0 for invalid iova.
…> ---
> Changes
> v3:
> - Remove redundant pte validation in riscv_iommu_iova_to_phys
> - Improve subject line to emphasize prevention
…

Repetition:
https://lore.kernel.org/lkml/effb29be-6d14-47e5-ab71-454119467750@web.de/

Would a summary phrase like “Prevent null pointer dereference in riscv_iommu_iova_to_phys()”
be nicer anyhow?

Regards,
Markus

Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[Joerg Roedel]

On Fri, Aug 15, 2025 at 03:12:44PM +0800, XianLiang Huang wrote:
> diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
> index 2d0d31ba2886..0eae2f4bdc5e 100644
> --- a/drivers/iommu/riscv/iommu.c
> +++ b/drivers/iommu/riscv/iommu.c
> @@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
>  	unsigned long *ptr;
>  
>  	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
> -	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
> +	if (!ptr)
>  		return 0;

Zero is usually not an invalid physical address, or is it on RISC-V?

-Joerg

Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[Robin Murphy]

On 15/08/2025 11:01 am, Joerg Roedel wrote:
> On Fri, Aug 15, 2025 at 03:12:44PM +0800, XianLiang Huang wrote:
>> diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
>> index 2d0d31ba2886..0eae2f4bdc5e 100644
>> --- a/drivers/iommu/riscv/iommu.c
>> +++ b/drivers/iommu/riscv/iommu.c
>> @@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
>>   	unsigned long *ptr;
>>   
>>   	ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
>> -	if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
>> +	if (!ptr)
>>   		return 0;
> 
> Zero is usually not an invalid physical address, or is it on RISC-V?

It's a valid PA on many systems of many architectures, but it's also 
been the "not mapped/error" value for the iova_to_phys operation all the 
way back to the very very first intel_iommu_iova_to_pfn() nearly 17 
years ago, so hey :)

Thanks,
Robin.

Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

[Joerg Roedel]

On Fri, Aug 15, 2025 at 03:43:25PM +0100, Robin Murphy wrote:
> It's a valid PA on many systems of many architectures, but it's also been
> the "not mapped/error" value for the iova_to_phys operation all the way back
> to the very very first intel_iommu_iova_to_pfn() nearly 17 years ago, so hey
> :)

Right, the sins of the past finally haunt me ;)