[PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys

From: XianLiang Huang
Date: Fri Aug 15 2025 - 03:16:57 EST

Next message: Mika Penttilä: "Re: [RFC PATCH 1/4] mm: use current as mmu notifier's owner"
Previous message: Feng Tang: "[PATCH 1/3] lib/sys_info: handle sys_info_mask==0 case"
Next in thread: Markus Elfring: "Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The riscv_iommu_pte_fetch() function returns either NULL for
unmapped/never-mapped iova, or a valid leaf pte pointer that requires no
further validation.

riscv_iommu_iova_to_phys() failed to handle NULL returns. Fix by adding NULL
check before dereferencing and returning 0 for invalid iova.

Fixes: 488ffbf18171 ("iommu/riscv: Paging domain support")
Cc: Tomasz Jeznach <tjeznach@xxxxxxxxxxxx>
Signed-off-by: XianLiang Huang <huangxianliang@xxxxxxxxxxxxxxxxxxx>
---
Changes
v3:
- Remove redundant pte validation in riscv_iommu_iova_to_phys
- Improve subject line to emphasize prevention

v2:
- Refine problem description
- Add "Fixes" tag
---
drivers/iommu/riscv/iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/iommu/riscv/iommu.c b/drivers/iommu/riscv/iommu.c
index 2d0d31ba2886..0eae2f4bdc5e 100644
--- a/drivers/iommu/riscv/iommu.c
+++ b/drivers/iommu/riscv/iommu.c
@@ -1283,7 +1283,7 @@ static phys_addr_t riscv_iommu_iova_to_phys(struct iommu_domain *iommu_domain,
unsigned long *ptr;

ptr = riscv_iommu_pte_fetch(domain, iova, &pte_size);
- if (_io_pte_none(*ptr) || !_io_pte_present(*ptr))
+ if (!ptr)
return 0;

return pfn_to_phys(__page_val_to_pfn(*ptr)) | (iova & (pte_size - 1));
--
2.34.1

Next message: Mika Penttilä: "Re: [RFC PATCH 1/4] mm: use current as mmu notifier's owner"
Previous message: Feng Tang: "[PATCH 1/3] lib/sys_info: handle sys_info_mask==0 case"
Next in thread: Markus Elfring: "Re: [PATCH v3] iommu/riscv: prevent NULL deref in iova_to_phys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]