Xen project Mailing List

Re: [PATCH 1/2] xen/arm: smmuv3: fix UB during deassign

To: Stewart Hildebrand <Stewart.Hildebrand@xxxxxxx>

From: Bertrand Marquis <Bertrand.Marquis@xxxxxxx>

Date: Fri, 25 Jul 2025 06:12:13 +0000

Accept-language: en-GB, en-US

Arc-authentication-results: i=2; mx.microsoft.com 1; spf=pass (sender ip is 4.158.2.129) smtp.rcpttodomain=amd.com smtp.mailfrom=arm.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=arm.com; dkim=pass (signature was verified) header.d=arm.com; arc=pass (0 oda=1 ltdi=1 spf=[1,1,smtp.mailfrom=arm.com] dkim=[1,1,header.d=arm.com] dmarc=[1,1,header.from=arm.com])

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none

Arc-message-signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=falzG9wCgrZY9GMPGPMooEvy6Ohut7ooSEVIzzYoNyg=; b=UL4uDtnEVsio/DZ1xnwVrIvOb5Zq3mseq+rV0RUliIjhmsvK5rKC2nhID0u2a+3Giar4s9EPjB29uPDmtisC3WWLHQdT5S1C2KQG6fcVn5mp3nml0iLohFGp5mtrifSRej1Zrbw/fsy+DW2/qzzkPM6+KPV1Cm+9n3RQW8bqX3wwyzcouwk0VpqFN1ZVmt5dE7Y5F2cY2dD7gmeyTr0K5ypG7bZGXXq8WZ8YYbDXY5dLGXeO/vk9XRCukIorYIBEn3GD7gn34JQfxzX6AuPsspKcnUaHW6ZylEKwKD686jH/DaCzoyib/fhBshIvTVlPrzf6l/gedvg9nvAD/h/wpQ==

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=falzG9wCgrZY9GMPGPMooEvy6Ohut7ooSEVIzzYoNyg=; b=cqfJrz6BH7ZFss8cvPrX5Rpc7vUnjERrMTmRHt+A9wpYIXIIgM/foTlfq12IKMwaUfV7agUc1nZGaByvxEufG0Z+v/o9+k9S4XvTu+RSHZ8mEVbj7GZNFpePJJc+d9c/YyBSgykyDX7DtqDC6wv+O4AK02YAh4kSz/tXDs+j19f2DOM/eg3w7hlUn3v1UqzOdnuxw3tE26MRuONtffhoE+du13JlvQgWtJGh9jd9zMHGcjffk/vd6d5atf5yXNk8Fn2VogIPACaUFvsdVW3IE4XfziGthnHBcNa5Ry1AAgAE3ghKzkF8yMeYaTBiXDbW/Ngf9bny4+QB32pYrSnb4Q==

Arc-seal: i=2; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=pass; b=kWfVD9vYcJWYVb+ufGVWvdU7NeuP01PW5C/2ktaNUVy5Sj4aEZz9i7VcA7wYRtjUlwXSgdx4mtjUq86KixXKUFDNuS5ac9y6so5jD5xrltuui3UjWs9AhIk7OVYLAF8YPvckzV+WO02zFPX1zla/D3Do0P5wjv6W9aHhGlAF6tT6yV4cvfTCXQJPakNTSRVgHnSK4qP+6n8/tgE4enL+1J8BbPFRBJu0KUxY4R88yhE178V86hAy5xiIvEz/dJoQljKgevVrSuAzaxgDZX1To2ytRzg8xO5txSeBDFJygnasEg9hsF4nmx10VfhvU732i9arlX7A9gIQwRxrvsv/+g==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=lvcmVn7qhjtFjlbKF3ExqYHbAbkj99nFb875I/S/Mfs2E1e8WrQGCD06DzeK5ECKSVa7r+JTBMyseiB9HeFyJdO7+N8CKns9eOZgBYsv/sUg4PTfzUb0uuIcKp2kdZgy/SFeTnSkKnQYHiuNk/9ZisLeKgUbCXg+ahsB3W92HGAkTfJtDl8KrqV7K3R0kAjOW3OxRjKWE62t03hTo7Mgnxyv4TGA257VZmhWTk8QciIKAoGFIhPkiviHvk0YrE6O3M7Avhd9il6gDLQesClds4QSkY2ss/aKk5N5ClUOXvAjiCrZIAvqIvwN+/E+usZgtdFmwFzDYbmno8X6LVkrxg==

Authentication-results-original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Rahul Singh <Rahul.Singh@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, Volodymyr Babchuk <Volodymyr_Babchuk@xxxxxxxx>

Delivery-date: Fri, 25 Jul 2025 06:13:03 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Nodisclaimer: true

Thread-index: AQHb/CTBUeABU74FEkyJ7zHVeZJ647RCXcqA

Thread-topic: [PATCH 1/2] xen/arm: smmuv3: fix UB during deassign

Hi, > On 24 Jul 2025, at 00:54, Stewart Hildebrand <Stewart.Hildebrand@xxxxxxx> > wrote: > > In arm_smmu_deassign_dev(), the return value from to_smmu_domain() is > NULL-checked. However, the implementation of to_smmu_domain() is a > container_of lookup, so the return value is unlikely to ever be NULL. In > case of a NULL argument to to_smmu_domain(), we will attempt to > dereference the non-NULL return value and encounter undefined behavior > and a crash: > > $ xl pci-assignable-remove 00:01.0 > (XEN) > ================================================================================ > (XEN) UBSAN: Undefined behaviour in drivers/passthrough/arm/smmu-v3.c:221:9 > (XEN) applying non-zero offset ffffffffffffffc0 to null pointer > (XEN) Xen WARN at common/ubsan/ubsan.c:174 > (XEN) ----[ Xen-4.21-unstable arm64 debug=y ubsan=y Tainted: C ]---- > ... > (XEN) Xen call trace: > (XEN) [<00000a0000350b2c>] ubsan.c#ubsan_epilogue+0x14/0xf0 (PC) > (XEN) [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c (LR) > (XEN) [<00000a00003523e0>] __ubsan_handle_pointer_overflow+0x94/0x13c > (XEN) [<00000a0000392f9c>] smmu-v3.c#to_smmu_domain+0x3c/0x40 > (XEN) [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c > (XEN) [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8 > (XEN) [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c > (XEN) [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c > (XEN) [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4 > (XEN) [<00000a00002ca66c>] do_domctl+0x2690/0x2a04 > (XEN) [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0 > (XEN) [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8 > (XEN) [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8 > (XEN) > (XEN) > ================================================================================ > (XEN) Data Abort Trap. Syndrome=0x4 > (XEN) Walking Hypervisor VA 0xfffffffffffffff8 on CPU1 via TTBR > 0x00000000406d0000 > (XEN) 0TH[0x1ff] = 0x0 > (XEN) CPU1: Unexpected Trap: Data Abort > (XEN) ----[ Xen-4.21-unstable arm64 debug=y ubsan=y Tainted: C ]---- > ... > (XEN) Xen call trace: > (XEN) [<00000a000039e494>] smmu-v3.c#arm_smmu_deassign_dev+0xc0/0x43c (PC) > (XEN) [<00000a000039e428>] smmu-v3.c#arm_smmu_deassign_dev+0x54/0x43c (LR) > (XEN) [<00000a00003a0300>] smmu-v3.c#arm_smmu_reassign_dev+0x74/0xc8 > (XEN) [<00000a00003a7040>] pci.c#deassign_device+0x5fc/0xe0c > (XEN) [<00000a00003ade7c>] iommu_do_pci_domctl+0x7b4/0x90c > (XEN) [<00000a00003a34c0>] iommu_do_domctl+0x58/0xf4 > (XEN) [<00000a00002ca66c>] do_domctl+0x2690/0x2a04 > (XEN) [<00000a0000454d88>] traps.c#do_trap_hypercall+0xcf4/0x15b0 > (XEN) [<00000a0000458588>] do_trap_guest_sync+0xa88/0xdd8 > (XEN) [<00000a00003f8480>] entry.o#guest_sync_slowpath+0xa8/0xd8 > > Fix by changing to_smmu_domain() to return NULL in case of a NULL > argument. > > Fixes: 452ddbe3592b ("xen/arm: smmuv3: Add support for SMMUv3 driver") > Signed-off-by: Stewart Hildebrand <stewart.hildebrand@xxxxxxx> Sounds good to me: Acked-by: Bertrand Marquis <bertrand.marquis@xxxxxxx> Cheers Bertrand > --- > I'm unsure if that's the right Fixes: tag since I'm not sure if it can > be triggered prior to 63919fc4d1ca ("xen/arm: smmuv3: Add PCI devices > support for SMMUv3"). > --- > xen/drivers/passthrough/arm/smmu-v3.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/xen/drivers/passthrough/arm/smmu-v3.c > b/xen/drivers/passthrough/arm/smmu-v3.c > index 58f3331520df..db08d3c04269 100644 > --- a/xen/drivers/passthrough/arm/smmu-v3.c > +++ b/xen/drivers/passthrough/arm/smmu-v3.c > @@ -218,6 +218,9 @@ static struct arm_smmu_option_prop arm_smmu_options[] = { > > static struct arm_smmu_domain *to_smmu_domain(struct iommu_domain *dom) > { > + if ( !dom ) > + return NULL; > + > return container_of(dom, struct arm_smmu_domain, domain); > } > > > base-commit: 5c798ac8854af3528a78ca5a622c9ea68399809b > -- > 2.50.1 >

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.